Re: Barnyard, Mudpit, and the Unified Output Format

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi,

[...]

> Which brings me to a topic of discussion. Along with the issue above, there 
> is no payload, no packet data. Now the reason to be running snort in this 
> manner is to help with performance. But I was under the impression that 
> snort will dump everything to the log file, including the payload in a 
> binary format and then a separate process such as Barnyard or Mudpit will 
> decode and input the payload into the MySQL database for use with ACID. I 
> was mucking around with the output code for Mudpit and did find that there 
> is a function for the data and data_payload. I just want to know if this is 
> the true nature of the output plug-in; to allow snort to sniff at top speed, 
> or if there is something wrong with my setup.

probably you have to use the 

output log_acid_db:

keyword in barnyard.conf together with the option

  detail 
full

e.g:

output log_acid_db: mysql, database snort, server localhost, user snort, detail full

Note: You can even use the log_acid_db if you use the snort.alert file.

Best regards

Dirk

PS: You can alternatively use FLoP instead of barnyard: 

   http://www.geschke-online.de/FLoP/




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users