Re: barnyard (Payload)

[Alwin Raymundo <alrayworld () yahoo com>]

Hi Martin,

Thank for the info.

I already adjustment my configuration on both snort
and barnyard but showing me an error.
-*> Barnyard! <*-
Version 0.1.0-rc3 (Build 11)
By Andrew R. Baker (andrewb () snort org)
and Martin Roesch (roesch () sourcefire com,
www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AcidDb output plugin initialized
AlertCSV initialized
Parsing Config file: /etc/snort/barnyard.conf
Args: mysql, sensor_id 1, database snort, server
localhost, user usnort, password loghog, detail full
Barnyard Version 0.1.0-rc3 (Build 11) started
No Files found to read.  Exiting
Fatal Error, Quitting..
Exiting

barnyard.conf
output log_acid_db: mysql, sensor_id 1, database
snort, server localhost, user thalium, password
4e770!, detail full

in my snort.conf
output log_unified: filename snort.log, limit 128


and I started by barnyard with
barnyard  -c /etc/snort/barnyard.conf \
    -d /var/log/snort -g /etc/snort/gen-msg.map \
    -s /etc/snort/sid-msg.map -f scan.log

Is there any misconfiguration that I did.  Because
barnyard complaining about "no files found to read".
When I look at my /var/log/snort the file snort.log is
there and existing. Please correct me if I did
misconfiguration.  I appreciate it.

Thanks

Your brother in snort


--- Martin Roesch <roesch () sourcefire com> wrote:
> You need to setup log_unified in your snort.conf,
> alert_unified only 
> reports the event data, not the packet logs.
>
>       -Marty
>
> On Tuesday, October 15, 2002, at 08:37 AM, Alwin
> Raymundo wrote:
>
> > Hi Marty,
> >
> > Sorry I'm busy this week and I just open my email.
> >
> > in my snort.conf
> > output aler_unified: filename snort.alert, limit
> 128
> > in barnyard.conf
> > config hostname: snorthost
> > config interface: fxp0
> > config filter: not port 22
> > processor dp_alert
> > processor dp_log
> > processor dp_stream_stat
> > output alert_fast
> > output log_dump
> > output alert_acid_db: mysql, sensor_id 1, database
> > snort, server localhost, user usnort, password
> loghog
> > I'm new with barnyard. Thanks in Advance for your
> > help.
> >
> > Your brother in snort
> >
> > Alwin
> > --- Martin Roesch <roesch () sourcefire com> wrote:
> > > Which unified output option are you guys using?
> > >
> > >       -Marty
> > >
> > >
> > > On 10/1/02 8:57 AM, "Alwin Raymundo"
> > > <alrayworld () yahoo com> wrote:
> > >
> > > > Hi Ron,
> > > >
> > > > Yap to me the payload is very important.  for my
> > > own
> > > > opinion.  we know that somebody trying to do
> some
> > > > nasty thing to our server but how?
> > > >
> > > > without the payload its look like I shooting in
> > > the
> > > > dark.
> > > >
> > > > Thanks
> > > >
> > > >
> > > > --- Ron Shuck <rshuck () Buchanan com> wrote:
> > > > > Hey Alwin,
> > > > >
> > > > > I found the same results. I haven't heard if
> > > there
> > > > > are plans to include
> > > > > this, or if it should work and we just missed
> > > > > something.
> > > > >
> > > > >
> > > > > Ron Shuck, CISSP - Managing Consultant
> > > > > Buchanan Associates - A Technology Company in
> the
> > > > > People Business
> > > > > http://www.buchanan.com
> > > > > http://www.isc2.org
> > > > >
> > > > >
> > > > > ---original message---
> > > > > Date: Mon, 30 Sep 2002 11:36:39 -0700 (PDT)
> > > > > From: Alwin Raymundo <alrayworld () yahoo com>
> > > > > To: user snort
> > > <snort-users () lists sourceforge net>
> > > > > Subject: [Snort-users] barnyard (Payload)
> > > > >
> > > > > Hi Everybody,
> > > > >
> > > > > I don't know if this is already posted in
> > > previous
> > > > > discussion and this morning I just setup the
> > > > > barnyard.
> > > > >  I like it because it fast to log all packets
> in
> > > my
> > > > > mysql and acid but I notice there is no
> payload.
> > > > > Is this normal? is there in another way to get
> > > the
> > > > > payload?.
> > > > >
> > > > > Any help would be appreciated.
> > > > >
> > > > > Thanks in advance.
> > > >
> > > > > ATTACHMENT part 2 application/x-pkcs7-signature
> > > > name=smime.p7s
> > > >
> > > >
> > > >
> > > > =====
> > > > Alwin Raymundo
> __________________________________________________
> > > > Do you Yahoo!?
> > > > New DSL Internet Access from SBC & Yahoo!
> > > > http://sbc.yahoo.com
-------------------------------------------------------
> > > > This sf.net email is sponsored by: DEDICATED
> > > SERVERS only $89!
> > > > Linux or FreeBSD, FREE setup, FAST network. Get
> > > your own server
> > > > today at http://www.ServePath.com/indexfm.htm
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or
> > > unsubscribe:
> > > >
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > > -- 
> > > Martin Roesch - Founder/CTO Sourcefire Inc. -
> (410)
> > > 290-1616
> > > Sourcefire: Professional Snort Sensor and
> Management
> > > Console appliances
> > > roesch () sourcefire com - http://www.sourcefire.com
> > > Snort: Open Source Network IDS -
> > > http://www.snort.org
-------------------------------------------------------
> > > This sf.net email is sponsored by: DEDICATED
> SERVERS
> > > only $89!
> > > Linux or FreeBSD, FREE setup, FAST network. Get
> your
> > > own server
> > > today at http://www.ServePath.com/indexfm.htm
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or
> > > unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > =====
> > Alwin Raymundo
> >
> > __________________________________________________
> > Do you Yahoo!?
> > New DSL Internet Access from SBC & Yahoo!
> > http://sbc.yahoo.com
> -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. -
> (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion
> Detection Infrastructure
=== message truncated ===


=====
Alwin Raymundo

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users