Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Barnyard, ACID output

From: Steve Halligan <agent33 () geeksquad com>
Date: Thu, 17 Jan 2002 11:47:50 -0600
I recently installed barnyard to handle the various Snort output 
formats, but the documentation is a bit weak on a few points, so I've 
had to do some trial-and-error work.

1) Is the Unified log/alert format the only output I need to 
specify in 
snort.conf?


Yes.


5) My ACID database is receiving input from barnyard, but ALL the IP 
addresses are backwards! Instead of "64.129.103.189", it lists the 
source address as "189.103.129.64". What's up with that?



I have found this to be true when using the snort.alert unified file, try
snort.log instead.


6) The ACID database no longer contains the packet 
information like my 
old configuration (straight from snort to ACID). Is this a 
deficiency of 
the Unified format logs?


See above.  You should get full packet details.



7) What's the best startup configuration for snort to accomplish what 
I'm doing? The command line execution call vs. snort.conf vs. 
barnyard.conf relationship is very poorly documented, so it's hard to 
figure out where/how to specify what. I currently have:


Commandline ALWAYS wins.  It overrides anything you put in the conf file.



      daemon /usr/sbin/snort -u snort -g snort -l 
/var/log/snort -d -D \
                  -i $INTERFACE -c /etc/snort/snort.conf

in my snortd startup, and

      /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d 
/var/log/snort  \
         -w /var/log/snort/alert.offset -g /etc/snort/gen-msg.map -s 
/etc/snort/sid-msg.map -f \      snort.alert &


I am using 
#snort -de -C -D -c /etc/snort/snort.conf
for snort
and
#barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -f snort.log -w
/var/log/snort/barnwaldo -l
for barnyard.



for barnyard. Actually, how are most people getting barnyard 
to launch? 


Working like a champ.

-Steve

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: