Snort mailing list archives
Re: Barnyard part 2
From: sekure <sekure () gmail com>
Date: Thu, 29 Jul 2004 10:07:10 -0400
If your rules are alerts and you are outputting to log_unified you will have issues...
I don't think that's necessarily true. According to Snort docs: "The log file contains the detailed packet information ( a packet dump with the associated event id )". My sensors are configured to: output log_unified: filename unified.log, limit 128 And barnyard is configured: output log_acid_db: mysql, database db, server server, etc... I found that I only need one output module for snort and one output module for barnyard. Barnyard takes care of extracting the pertinent information and entering it into the database, giving me the alert and the packet payload. If I had just output log_alert in snort.conf, or just output alert_acid_db in barnyard the packet detail wouldn't make it into the database. And having two output plugins in barnyard tries to enter the same event into it twice. Hmmm....I think that's right.... HTH, ----- Original Message ----- From: Jeff Dell <jdell () activeworx com> Date: Thu, 29 Jul 2004 09:36:17 -0400 Subject: RE: [Snort-users] Barnyard part 2 To: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil>, snort-users () lists sourceforge net Make sure you are alerting to unified as well. i.e. uncomment the following line in your snort.conf file: output alert_unified: filename snort.alert, limit 128 If your rules are alerts and you are outputting to log_unified you will have issues... Jeff ________________________________ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Esler, Joel - Contractor Sent: Thursday, July 29, 2004 8:46 AM To: Esler, Joel - Contractor; snort-users () lists sourceforge net; Maetzky, Steffen (Extern) Subject: RE: [Snort-users] Barnyard part 2 I see that my Snort -> mysql used the "log" facility. Is there a similar command in barnyard, or do I have to change my rules from alert to log? J -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Esler, Joel - Contractor Sent: Thursday, July 29, 2004 8:40 AM To: snort-users () lists sourceforge net; Maetzky, Steffen (Extern) Subject: [Snort-users] Barnyard part 2 Okay, Now, previous setup was Snort logging directly to mysql. Now it is logging to unified, Barnyard is now processing the mysql entries, however, it is not inputting the packet data into ACID. Where did the packet data go? J (barnyard.conf) output alert_acid_db: mysql, sensor_id 7, database snort, server 127.0.0.1, user snort output log_acid_db: mysql, database snort, server 127.0.0.1, user snort, detail full Do i need to comment out alert_acid_db, and make it just "log_acid_db? ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard part 2 Esler, Joel - Contractor (Jul 29)
- <Possible follow-ups>
- RE: Barnyard part 2 Esler, Joel - Contractor (Jul 29)
- RE: Barnyard part 2 Jeff Dell (Jul 29)
- Re: Barnyard part 2 sekure (Jul 29)
- RE: Barnyard part 2 Jeff Dell (Jul 29)
- RE: Barnyard part 2 Jeff Dell (Jul 29)
- RE: Barnyard part 2 Esler, Joel - Contractor (Jul 29)
- Re: Barnyard part 2 sekure (Jul 29)
- RE: Barnyard part 2 Esler, Joel - Contractor (Jul 29)