[Snort-users] Load alerts read from file to database

Paul Li paul at ...17768...
Mon Feb 6 22:31:37 EST 2017


Hi Al,

Just read again barnyard2 configuration file's comments: look like
barnyard2 supports only u2 files. The issue on my side looks like that no
u2 files were generated but only log files were generated. I reinstalled
barnyard2. Now both u2 and log files were generated.

Thanks again!

Paul

On Mon, Feb 6, 2017 at 6:28 PM, Paul Li <paul at ...17768...> wrote:

> Thanks Al for the hints. Much appreciated.  After Snort read a file, all
> the alerts are in a snort.log.xxxxx file. I tried to set up barnyard2 read
> snort.log as the base from the command line as the following:
>
> sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
> -w /var/log/snort/barnyard2.waldo -g snort-user -u snort-pass
>
> But looks like barnyard2 is still reading the snort.u2 base file. here's
> c&p the messages from the console:
>
> ------console output-----
>
> Using waldo file '/var/log/snort/barnyard2.waldo':
>
>     spool directory = /var/log/snort
>
>     spool filebase  = snort.u2
>
>     time_stamp      = 1486185613
>
>     record_idx      = 0
>
> Opened spool file '/var/log/snort/snort.u2.1486185613'
>
> ....
>
> ------console output end-----
>
> Tried to edit barnyard2.waldo, but looks like it's a binary file. Is
> there a way to make barnyard2 read snort.log.xxxxx instead of
> snort.u2.xxxxx?
>
>
> Thanks,
>
> Paul
>
>
>
> On Sat, Feb 4, 2017 at 6:10 PM, Al Lewis (allewi) <allewi at ...589...>
> wrote:
>
>> Are the alert files in unified2 format?
>>
>> You may want to look here for some more info on barnyard.
>>
>> https://github.com/firnsy/barnyard2
>>
>>
>> https://github.com/firnsy/barnyard2/tree/master/doc
>>
>>
>>
>> *Albert Lewis*
>>
>> ENGINEER.SOFTWARE ENGINEERING
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> Email: allewi at ...589...
>>
>> From: Paul Li <paul at ...17768...>
>> Date: Saturday, February 4, 2017 at 1:05 AM
>> To: 'snort-users' <snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] Load alerts read from file to database
>>
>> I'm using Snort to read a file and Snort generates alerts. But when tried
>> using Barnyard2 load these alerts to database, no alerts were loaded. Is
>> there any configuration I should change to make it work, or Barnyard2
>> doesn't support loading alerts from files?
>>
>> (When Snort generates alerts from monitoring a networking interface,
>> Barnyard successfully loaded alerts to the database.)
>>
>> Thanks,
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170206/27003813/attachment.html>


More information about the Snort-users mailing list