[Snort-users] Load alerts read from file to database

Paul Li paul at ...17768...
Mon Feb 6 18:28:37 EST 2017


Thanks Al for the hints. Much appreciated.  After Snort read a file, all
the alerts are in a snort.log.xxxxx file. I tried to set up barnyard2 read
snort.log as the base from the command line as the following:

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
-w /var/log/snort/barnyard2.waldo -g snort-user -u snort-pass

But looks like barnyard2 is still reading the snort.u2 base file. here's
c&p the messages from the console:

------console output-----

Using waldo file '/var/log/snort/barnyard2.waldo':

    spool directory = /var/log/snort

    spool filebase  = snort.u2

    time_stamp      = 1486185613

    record_idx      = 0

Opened spool file '/var/log/snort/snort.u2.1486185613'

....

------console output end-----

Tried to edit barnyard2.waldo, but looks like it's a binary file. Is there
a way to make barnyard2 read snort.log.xxxxx instead of snort.u2.xxxxx?


Thanks,

Paul



On Sat, Feb 4, 2017 at 6:10 PM, Al Lewis (allewi) <allewi at ...589...> wrote:

> Are the alert files in unified2 format?
>
> You may want to look here for some more info on barnyard.
>
> https://github.com/firnsy/barnyard2
>
>
> https://github.com/firnsy/barnyard2/tree/master/doc
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...589...
>
> From: Paul Li <paul at ...17768...>
> Date: Saturday, February 4, 2017 at 1:05 AM
> To: 'snort-users' <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Load alerts read from file to database
>
> I'm using Snort to read a file and Snort generates alerts. But when tried
> using Barnyard2 load these alerts to database, no alerts were loaded. Is
> there any configuration I should change to make it work, or Barnyard2
> doesn't support loading alerts from files?
>
> (When Snort generates alerts from monitoring a networking interface,
> Barnyard successfully loaded alerts to the database.)
>
> Thanks,
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170206/5f8f38ae/attachment.html>


More information about the Snort-users mailing list