Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Barnyard question

From: "Imran William Smith" <iwsmith () mimos my>
Date: Tue, 9 Jul 2002 16:45:35 +0800
Hola Emilio,

1st problem : "2 hours"

I notice from your mail headers that your timezone is GMT+2:

X-Original-Date: Tue, 9 Jul 2002 10:24:26 +0200 (CEST)

So the 'two hours ago' thing is probably some timezone problem - 
you are seeing the times in GMT, so they look like they are two
hours old, since the GMT time is yourtime-2.  Maybe your sensor
machine is set to GMT?


2nd problem: "no detail"

I believe snort can log in two modes to a database, fast and
full.  So, perhaps barnyard does the same thing?  I have not
used barnyard.  See README.database in the snort distribution 
for details of the 'detail' level (at least, in v1.8.6 this gave
details).


Good luck

--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia




----- Original Message ----- 
From: "Emilio Mira Alfaro" <emial () alumni uv es>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, July 09, 2002 4:24 PM
Subject: [Snort-users] Barnyard question


| 
| Hi all.
| 
| I'm trying to intall barnyard-0.1.0-rc2 with Snort 1.8.7beta2 
| and there are some rare things. 
| 
| I log in MySQL database with acid output plugin:
| 
| output log_acid_db: mysql, sensor_id 1, database snortdb, 
| server localhost, user snort, password ****** , detail full
| 
| and the only one input plugin is dp_log.
| 
| First, it seems that barnyard works with a delay: I only can
| see alerts that were detected 2 hours ago.
| 
| Second, table iphdr and data are empty, I only can get information
| about alerts generated, nothing else.
| 
| In snort.conf I have:
| 
| output alert_unified: filename snort.alert, limit 128
| output log_unified: filename snort.log, limit 128
| 
| Any ideas.
| 
| Thank you!!
| 
| 
| --
| Emilio Mira
| e-mail: emial () alumni uv es
| 
| 
| 
| -------------------------------------------------------
| This sf.net email is sponsored by:ThinkGeek
| Stuff, things, and much much more.
| http://thinkgeek.com/sf
| _______________________________________________
| Snort-users mailing list
| Snort-users () lists sourceforge net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list
| 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Stuff, things, and much much more.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: