Re: Barnyard part 2

[sekure <sekure () gmail com>]

> If your rules are alerts and you are outputting to log_unified you will have issues...
I don't think that's necessarily true.  According to Snort docs: "The
log file contains the detailed packet information ( a packet dump with
the associated event id )".

My sensors are configured to:
output log_unified: filename unified.log, limit 128

And barnyard is configured:
output log_acid_db: mysql, database db, server server, etc...

I found that I only need one output module for snort and one output
module for barnyard. Barnyard takes care of extracting the pertinent
information and entering it into the database, giving me the alert and
the packet payload.  If I had just output log_alert in snort.conf, or
just output alert_acid_db in barnyard the packet detail wouldn't make
it into the database.  And having two output plugins in barnyard tries
to enter the same event into it twice.

Hmmm....I think that's right....

HTH, 

----- Original Message -----
From: Jeff Dell <jdell () activeworx com>
Date: Thu, 29 Jul 2004 09:36:17 -0400
Subject: RE: [Snort-users] Barnyard part 2
To: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil>,
snort-users () lists sourceforge net


Make sure you are alerting to unified as well. i.e. uncomment the
following line in your snort.conf file:
 
output alert_unified: filename snort.alert, limit 128
 
If your rules are alerts and you are outputting to log_unified you
will have issues...
 
Jeff


________________________________
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Esler,
Joel - Contractor
Sent: Thursday, July 29, 2004 8:46 AM
To: Esler, Joel - Contractor; snort-users () lists sourceforge net;
Maetzky, Steffen (Extern)
Subject: RE: [Snort-users] Barnyard part 2



I see that my Snort -> mysql used the "log" facility.  Is there a
similar command in barnyard, or do I have to change my rules from
alert to log?
 
J


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Esler,
Joel - Contractor
Sent: Thursday, July 29, 2004 8:40 AM
To: snort-users () lists sourceforge net; Maetzky, Steffen (Extern)
Subject: [Snort-users] Barnyard part 2


Okay, Now, previous setup was Snort logging directly to mysql.  Now it
is logging to unified, Barnyard is now processing the mysql entries,
however, it is not inputting the packet data into ACID.  Where did the
packet data go?
 
J
 
(barnyard.conf)
 
output alert_acid_db: mysql, sensor_id 7, database snort, server
127.0.0.1, user snort
output log_acid_db: mysql, database snort, server 127.0.0.1, user
snort, detail full
 
Do i need to comment out alert_acid_db, and make it just "log_acid_db?


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users