Snort mailing list archives

Re: Barnyard woes

From: Ken Gunderson <kgunders () teamcool net>
Date: Wed, 19 Feb 2003 10:03:59 -0700

On Wednesday 19 February 2003 07:58 am, Andrew R. Baker wrote:

Ken Gunderson wrote:

On Tuesday 18 February 2003 08:16 pm, Andrew R. Baker wrote:

Joerg Weber wrote:
 > Here's my problem:
 > 1) I'd like to use SnortCenter to maintain my sensors.
 > SnortCenter adds the unified_plugin like this:
 > output log_unified: filename snort-unified, limit 500
 > but no alert_unified:
 > Should I add this by hand via a preprocessor?

If you are only using the database output, you do not need to the
unified alert file.  All of the alert data should be in the unified
log file.


[snip]

so one would specify both "log_acid_db" AND "alert_acid_db" in
barnyard.conf and then get both alerts and logs going to db,
correct?

[snip]


No, you just need log_acid_db. This will get alerts w/ packet logs
into the database.  The confusing part is that, with several output
plugins, log means alert w/ packet.  Unfortunately, it is a little
late in Snort's lifetime to try to clarify this.

-A


no wonder i was confused;-)  but this does not appear to be consistent 
with what i am seeing.  my snort.conf specifies:

output alert_unified: filename snort_fxp1.alert, limit 500
output log_unified: filename snort_fxp1.log, limit 500

presently i have two instances of BY running, and after processing by 
BY, i am getting:

cooper# grep -i portscan2 log_dump_fxp1 | wc -l
       0
cooper# grep -i portscan2 alert_fast_fxp1 | wc -l
      78

this would indicate that all alert data does not make it to 
log_unified?? thus one still needs to parse alert_unified logs through 
some other means such as syslog, alert_fast, etc.??

-- 
Best regards,

Ken Gunderson
PGP Key-- 9F5179FD

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Barnyard woes Joerg Weber (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 18)
  - Re: Barnyard woes Paul Schmehl (Feb 18)
- Re: Barnyard woes Andrew R. Baker (Feb 18)
  - Re: Barnyard woes Ken Gunderson (Feb 19)
    - Re: Barnyard woes Andrew R. Baker (Feb 19)
    - Re: Barnyard woes Ken Gunderson (Feb 19)
    - Help! Very wierd traffic. Yonah Russ (Feb 19)
    - Re: Help! Very wierd traffic. Matt Kettler (Feb 19)
    - Re: Help! Very wierd traffic. Yonah Russ (Feb 19)
    - Re: Help! Very wierd traffic. Frank Knobbe (Feb 19)