unified format

[Igor Belikov <ivb () is ua>]

Hello snort-users,

  I have several questions regarding unified log format.

  1. In archive of this mailing list I read that unified alert file
  contains only alerts information, and unified log file contains both
  alerts and corresponding payloads. But documentation says different:
  unified log contains only payload, and I confirmed this by some
  tests.

  2. I need log to DB detailed info about alerts. I setup snort to
  write unified alert and log files, and need some mechanism to store
  this info in DB.

  3. Writing to DB by snort is not a good solution, so I want to use
  barnyard. But I can't take _all_ information from unified logs! I
  can't setup barnyard to process both alert and log files, and I
  can't run two copies of barnyard to process two files (alert and
  log). When I run only one copy of barnyard to process log - I don't
  receive events in DB at all! When I run barbyard to process alert -
  I receive alert events in BD, but I don't receive payload of this
  alerts.

  So, I need some help to setup snort+barnyard to put detailed info
  about alerts in DB.

-- 
Best regards,
 Igor                          mailto:ivb () is ua


P.S. Exuse me my poor english, please...



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users