Snort mailing list archives

Re: Snort + barnyard2 + BASE

From: "Paul Schmehl" <pschmehl_lists () tx rr com>
Date: Tue, 22 Sep 2009 11:42:03 -0500

You're outputting unified files from snort and trying to read unified2 files
in barnyard2.  Barnyard2 can read either, so I would suggest changing snort
to output unified2 files.

Paul Schmehl (pschmehl_lists () tx rr com)
In case it isn't already obvious, my opinions
are my own and not those of my employer

-----Original Message-----
From: James Chase [mailto:james () mandala-designs com] 
Sent: Tuesday, September 22, 2009 10:47 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort + barnyard2 + BASE

Hi,

I have successfully setup snort/barnyard/base before but I am now
setting up a new sensor using barnyard2. I was able to confirm that
everything is working by using barnyard but when I try and use
barnyard2, I do not see any new events added via BASE.

Here is my output in snort.conf:

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

and I am running snort like so: /usr/sbin/snort -D -i eth0 -u snort -g
snort -c /etc/snort/snort.conf -l /var/log/snort

Here is my setup in barnyard2.conf:

input unified2
output database: log, mysql, user=snort password=password dbname=snort
host=localhost
output database: alert, mysql, user=snort password=password dbname=snort
host=localhost  ##I did just have log, but when it wasn't working, I
decided to try it with this output as well, like in barnayrd(1).

running barnyard2 with these options: /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w
/var/log/snort/barnyard2.waldo -D


I do not think the waldo file is working correctly, but that just tells
barnyard2 where to start right? When barnyard2 starts up it sees the
files but does not read any records from it and BASE does not show any
new alerts.

I've banged my head for awhile but am sure I missed something very simple?

James



----------------------------------------------------------------------------
--
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort + barnyard2 + BASE James Chase (Sep 22)
- Re: Snort + barnyard2 + BASE Jefferson, Shawn (Sep 22)
- Re: Snort + barnyard2 + BASE Alexander Novokhatsky (Sep 22)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Sep 22)