[Snort-users] Load alerts read from file to database

Tural Aghazada agazade.tural at ...11827...
Tue Feb 7 02:26:22 EST 2017


Hello,

Please remove me from the email listing. It's filling up my mailbox too
much and too fast.

Thanks

Best Regards,

Tural




















Tural Aghazada   CEO
Aghazada MMC
m: +994558715919 a: Baku,Azerbaijan
s: www.aghazada.info e: tural at ...17781...
<https://twitter.com/aghazada_tural>
<https://www.linkedin.com/in/tural-aghazada-02443736>



On Tue, Feb 7, 2017 at 7:31 AM, Paul Li <paul at ...17768...> wrote:

> Hi Al,
>
> Just read again barnyard2 configuration file's comments: look like
> barnyard2 supports only u2 files. The issue on my side looks like that no
> u2 files were generated but only log files were generated. I reinstalled
> barnyard2. Now both u2 and log files were generated.
>
> Thanks again!
>
> Paul
>
> On Mon, Feb 6, 2017 at 6:28 PM, Paul Li <paul at ...17768...> wrote:
>
>> Thanks Al for the hints. Much appreciated.  After Snort read a file, all
>> the alerts are in a snort.log.xxxxx file. I tried to set up barnyard2 read
>> snort.log as the base from the command line as the following:
>>
>> sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
>> snort.log -w /var/log/snort/barnyard2.waldo -g snort-user -u snort-pass
>>
>> But looks like barnyard2 is still reading the snort.u2 base file. here's
>> c&p the messages from the console:
>>
>> ------console output-----
>>
>> Using waldo file '/var/log/snort/barnyard2.waldo':
>>
>>     spool directory = /var/log/snort
>>
>>     spool filebase  = snort.u2
>>
>>     time_stamp      = 1486185613
>>
>>     record_idx      = 0
>>
>> Opened spool file '/var/log/snort/snort.u2.1486185613'
>>
>> ....
>>
>> ------console output end-----
>>
>> Tried to edit barnyard2.waldo, but looks like it's a binary file. Is
>> there a way to make barnyard2 read snort.log.xxxxx instead of
>> snort.u2.xxxxx?
>>
>>
>> Thanks,
>>
>> Paul
>>
>>
>>
>> On Sat, Feb 4, 2017 at 6:10 PM, Al Lewis (allewi) <allewi at ...589...>
>> wrote:
>>
>>> Are the alert files in unified2 format?
>>>
>>> You may want to look here for some more info on barnyard.
>>>
>>> https://github.com/firnsy/barnyard2
>>>
>>>
>>> https://github.com/firnsy/barnyard2/tree/master/doc
>>>
>>>
>>>
>>> *Albert Lewis*
>>>
>>> ENGINEER.SOFTWARE ENGINEERING
>>>
>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>
>>> Email: allewi at ...589...
>>>
>>> From: Paul Li <paul at ...17768...>
>>> Date: Saturday, February 4, 2017 at 1:05 AM
>>> To: 'snort-users' <snort-users at lists.sourceforge.net>
>>> Subject: [Snort-users] Load alerts read from file to database
>>>
>>> I'm using Snort to read a file and Snort generates alerts. But when
>>> tried using Barnyard2 load these alerts to database, no alerts were loaded.
>>> Is there any configuration I should change to make it work, or Barnyard2
>>> doesn't support loading alerts from files?
>>>
>>> (When Snort generates alerts from monitoring a networking interface,
>>> Barnyard successfully loaded alerts to the database.)
>>>
>>> Thanks,
>>> Paul
>>>
>>
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170207/b0dbccc8/attachment.html>


More information about the Snort-users mailing list