Snort mailing list archives
Re: Problem with barnyard 0.2.0 and snort 2.4.0
From: Jason Brvenik <jason.brvenik () sourcefire com>
Date: Sat, 20 Aug 2005 13:57:01 -0400
eric-list-snort-users () catastrophe net wrote:
It seems I have a problem with barnyard 0.2.0 and snort 2.4.0 on OpenBSD 3.6. I have configured snort to write a unified log to /var/snort/log/snort.log with the following.... output log_unified: snort.log, limit 128 files are being written, as witnessed by the following.... $ ls -l /var/snort/log [...] -rw-r--r-- 1 root _snort 5967 Aug 19 19:58 snort-unified.log.1124485688 -rw-r--r-- 1 root _snort 9150 Aug 19 20:29 snort-unified.log.1124499689 -rw-r--r-- 1 root _snort 46069 Aug 19 23:45 snort-unified.log.1124510258 -rw-r--r-- 1 root _snort 18878 Aug 20 00:27 snort-unified.log.1124513157 [...] I'm starting snort in the following manner... # /var/snort/bin/snort -c /var/snort/etc/snort.conf \ -l /var/snort/log -F /var/snort/etc/snort.pcap -D So everything is working there fine. Signatures are triggered on. My barnyard.conf is as follows... config localtime config hostname: gw1 config interface: bridge0 config filter: not port 22output log_acid_db: mysql, database snort, server 10.19.81.137, user foo, password bar, detail full [wrapped for clarity]
Optional for debugging: output alert_csv: /var/log/snort/csv.outremove config localtime - it will prove challenging during timewarps like DST
Next I start barnyard in the following manner...
# /var/snort/bin/barnyard -c /var/snort/etc/barnyard.conf \
-s /var/snort/etc/sid-msg.map -g /var/snort/etc/gen-msg.map \
-p /var/snort/etc/classification.config -d /var/snort/log \
-f snort.log -w /var/snort/log/snort_ids.log
change that to /var/snort/bin/barnyard -c /var/snort/etc/barnyard.conf \ -s /var/snort/etc/sid-msg.map \ -g /var/snort/etc/gen-msg.map \ -p /var/snort/etc/classification.config \ -d /var/snort/log \ -f snort-unified.log \ -w /var/snort/log/snort-unified-log.waldo note that -f and -w are changed. ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 19)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 eric-list-snort-users (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Aug 20)
- Re: Problem with barnyard 0.2.0 and snort 2.4.0 Paul Schmehl (Sep 19)