Snort mailing list archives

Re: Barnyard2 conf syntax for syslog

From: firnsy <firnsy () securixlive com>
Date: Sat, 05 Sep 2009 11:08:03 +0930

G'day Shawn,

Jefferson, Shawn wrote:

Looking at the code of barnyard2, and I don't fully understand it I'll admit, but I see this in spo_alert_syslog.c:

#ifdef LOG_ALERT
        if(!strcasecmp("LOG_ALERT", tmp))
        {
            data->priority = LOG_ALERT;
        }
        else
#endif

and further down:

        {
            LogMessage("WARNING => Unrecognized syslog "
                    "facility/priority: %s\n", tmp);
        }
    }

Doesn't this mean that unless the LOG_ALERT variable was defined at compile time, this code will not be included in the 
binary?  Maybe when I compiled my barnyard2 it was not defined?

These defines will be defined in /usr/include/sys/syslog.h which ispulled in at the top of spo_alert_syslog.h.

Also, looking at the code, there are comments there that indicate that maybe what I'm trying to do is only supported on 
WIN32?

    /*
     * NON-WIN32:  Config should be in the format:
     *   output alert_syslog: LOG_AUTH LOG_ALERT
     *
     * WIN32:  Config can be in any of these formats:
     *   output alert_syslog: LOG_AUTH LOG_ALERT
     *   output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
     *   output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
     */

The output plugins are 99.9% aligned to those of snort, thus if you cando something with Snort's output plugin (except spo_alert_sf_socket)that you can't do it in barnyard2 then this is a bug.

However, if you are attempting to define a remote IP for a non-win32system then no you can't do this with either the Snort or barnyard2syslog plugins.

I believe the old spo_alert_syslog2 had this support but was laterdeprecated in favor of using syslog forwarding.


Thanks,
Shawn


Regards,

--
firnsy
www.securixlive.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Barnyard2 conf syntax for syslog Paul Schmehl (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
  - Re: Barnyard2 conf syntax for syslog Paul Schmehl (Sep 07)
    - Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
    - Message not available
    - Message not available
    - Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
    - Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
    - Re: Barnyard2 conf syntax for syslog firnsy (Sep 07)
    - Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)