Snort mailing list archives
Re: Barnyard2 conf syntax for syslog
From: firnsy <firnsy () securixlive com>
Date: Sat, 05 Sep 2009 11:08:03 +0930
G'day Shawn, Jefferson, Shawn wrote:
Looking at the code of barnyard2, and I don't fully understand it I'll admit, but I see this in spo_alert_syslog.c: #ifdef LOG_ALERT if(!strcasecmp("LOG_ALERT", tmp)) { data->priority = LOG_ALERT; } else #endif and further down: { LogMessage("WARNING => Unrecognized syslog " "facility/priority: %s\n", tmp); } } Doesn't this mean that unless the LOG_ALERT variable was defined at compile time, this code will not be included in the binary? Maybe when I compiled my barnyard2 it was not defined?
These defines will be defined in /usr/include/sys/syslog.h which is pulled in at the top of spo_alert_syslog.h.
Also, looking at the code, there are comments there that indicate that maybe what I'm trying to do is only supported on WIN32? /* * NON-WIN32: Config should be in the format: * output alert_syslog: LOG_AUTH LOG_ALERT * * WIN32: Config can be in any of these formats: * output alert_syslog: LOG_AUTH LOG_ALERT * output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT * output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT */
The output plugins are 99.9% aligned to those of snort, thus if you can do something with Snort's output plugin (except spo_alert_sf_socket) that you can't do it in barnyard2 then this is a bug.
However, if you are attempting to define a remote IP for a non-win32 system then no you can't do this with either the Snort or barnyard2 syslog plugins.
I believe the old spo_alert_syslog2 had this support but was later deprecated in favor of using syslog forwarding.
Thanks, Shawn
Regards, -- firnsy www.securixlive.com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Barnyard2 conf syntax for syslog Paul Schmehl (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Re: Barnyard2 conf syntax for syslog Paul Schmehl (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Message not available
- Message not available
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Re: Barnyard2 conf syntax for syslog firnsy (Sep 07)
- Re: Barnyard2 conf syntax for syslog Paul Schmehl (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)