Snort mailing list archives
Another Barnyard Question
From: "Lance Boon" <lboon () firststatebanksw com>
Date: Fri, 25 Jun 2004 12:12:11 -0500
I'm trying to get barnyard-0.2.0.tar.gz setup and running on my remote sensors logging to a centralized MySql database. I've got the Snort 2.0 Intrusion Detection book and reading through it on page 431 it says that "Some recent additions to the barnyard.conf file will allow us to actually run Barnyard without the -g and -s switches. These files can be preconfigured within the "configuration declarations" section of the barnyard.conf file. " For example: config generator-map: gen-msg.map config signature-map: sid-msg.map However when I try to add them I get: [root@IDS1 barnyard]# /etc/barnyard/bin/barnyard -c /etc/barnyard/barnyard.conf -d /var/log/snort -f snort.log -w /var/log/snort/waldo Barnyard Version 0.2.0 (Build 32) Unrecognized config directive: 'generator-map: /etc/snort/gen-msg.map' Unrecognized config directive: 'signature-map: /etc/snort/sid-msg.map' ERROR => Unable to open SID file "/etc/barnyard/sid-msg.map": No such file or directory ERROR => Unable to open Generator file "/etc/barnyard/gen-msg.map": No such file or directory ERROR => Unable to open Classification file "/etc/barnyard/classification.config": No such file or directory Waiting for new spool file If I copy the gen-msg.map, sid-msg.map and classification.config files to my /etc/barnyard directory, barnyard will start without errors. But when I look at my acid webpage I see the following: [snort] Snort Alert [119:13:0] unclassified 3 (0%) 1 1 1 2004-06-25 15:40:31 2004-06-25 15:40:31 I'd really rather not have 2 gen-msg.map, sid-msg.map and classification.config files in 2 different directories. Does anybody have a good; hey newbie here's how it's done type of guide? System is RH FC1, snort is Version 2.1.3 (Build 27) Snort.conf # Step #3: Configure output plugins output alert_unified: filename /var/log/snort/snort.alert, limit 128 output log_unified: filename /var/log/snort/snort.log, limit 128 Barnyard.conf Standard except for the following entries: # Step 1: configuration declarations # To keep from having a commandline that uses every letter in the alphabet # most configuration options are set here config generator-map: /etc/snort/gen-msg.map config signature-map: /etc/snort/sid-msg.map # set the hostname (currently only used for the acid db output plugin) config hostname: WORSEN1 # set the interface name (currently only used for the acid db output plugin) config interface: eth0 output log_acid_db: mysql, sensor_id WORSEN1, database snort, server x.x.x.x, user snort, password password, detail full Can anyone see anything I'm doing wrong or offer any suggestions would be greatly appreciated. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Another Barnyard Question Lance Boon (Jun 25)
- Re: Another Barnyard Question Andrew R. Baker (Jun 25)
- <Possible follow-ups>
- RE: Another Barnyard Question Lance Boon (Jun 25)