Snort mailing list archives

Re: Barnyard2 + Snort

From: <snort () leeclemens net>
Date: Thu, 25 Mar 2010 17:31:00 -0400

I believe -f uses the prefix, not the full directory path supplied after -d.  If using continous mode, you should 
configure waldo file, or use -w as well.

-----Original Message-----
From:  Fábio Ferrão <ferrao04 () gmail com>
Date:  Thu Mar 25, 2010 14:50

Dears,

My barnyard2 is initialize with success, but the alerts arent registering in BASE.
The snort.conf is:


# output database: log, mysql, user=snort password=test dbname=snort host=xx.xx.xx.xx sensor_name=test_server
  # output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
  # output database: log, oracle, dbname=snort user=snort password=test

output alert_unified: filename snort_uni.alert, limit 128
output log_unified: filename snort_uni.log, limit 128
  output unified2: filename snort.unified2, limit 128


The snort initialization is:


/etc/rc.conf
snort_enable="YES"
snort_flags="-D -q"
  snort_interface="bge1"
snort_conf="/usr/local/snort/snort.conf"
snort_group="snortgrp"





The barnyard2.conf is:
  

config reference-map:   /usr/local/snort/reference.config
config class-map:          /usr/local/snort/classification.config
config gen-msg-map:     /usr/local/snort/gen-msg.map
  config sid-msg-map:         /usr/local/snort/sid-msg.map

config hostname:        teste_server
config interface:       bge1



# Step 2: setup the input plugins
  input unified2

output database: log, mysql, user=snort password=test dbname=snort host=xx.xx.xx.xx sensor_name=test_server
output database: alert, mysql, user=snort password=suporte dbname=snort host=xx.xx.xx.xx sensor_name=teste_server
  


The barnyard2 initialization is:


####BARNYARD2####
barnyard2_enable="YES"
barnyard2_flags="-D -q -d /var/spool/barnyard2 -f /var/log/snort/snort.unified2"
  barnyard2_conf="/usr/local/etc/barnyard2.conf"





Im trying, but barnyard isnt success yet.


Can somebody help me?

  
Thanks.

-- 
Fábio Ferrão

"E conhecereis a verdade e a verdade vos libertará".    João 8.32
"And you will know the truth and the truth you will free".    John 8.32
 
  


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Barnyard2 + snort Fábio Ferrão (Mar 25)
- Re: Barnyard2 + snort Jason Wallace (Mar 25)
- <Possible follow-ups>
- Re: Barnyard2 + snort snort (Mar 25)
- Barnyard2 + Snort Fábio Ferrão (Mar 25)
- Re: Barnyard2 + Snort snort (Mar 25)
- Re: Barnyard2 + Snort snort (Mar 25)
- Re: Barnyard2 + Snort snort (Mar 25)
  - Re: Barnyard2 + Snort Fábio Ferrão (Mar 26)