Snort mailing list archives
Re: Snort/Banyard2 Logging
From: beenph <beenph () gmail com>
Date: Fri, 13 Jul 2012 17:27:45 -0400
On Fri, Jul 13, 2012 at 4:33 PM, Eric Luellen <eluellen () perimeterusa com> wrote:
Hello, I need some help with my Snort/Barnyard2 setup. My goal is to have Snort send unified2 logs to Barnyard2 and then have Barnyard2 send the data to other locations. Here is my current setup. OS - Scientific Linux 6 Snort Version - 2.9.2.3 Barnyard2 Version - 2.1.9 Snort command - snort -c /etc/snort/snort.conf -i eth2 & Barnyard2 command - /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo & snort.conf - output unified2: filename snort.log, limit 128 barnyard2.conf - output alert_syslog: host=127.0.0.1 - output database: log, mysql, user=snort dbname=snort password=password host=localhost With this setup, barnyard2 is showing all of the correct information in the database and I'm using BASE to view it on the web GUI. I was hoping to be able to send the full packet data to syslog with barnyard2 but after reading around, it seems that it is impossible to do that. So I then started trying to modify the snort.conf file and add lines like "output alert_full: alert.full". This definitely gave me a lot more information but still not the full packet data like I want. So my question is, is there any way I can use barnyard2 to send the full packet data of alerts to a human readable file? Since I can't send it directly to syslog, I can create another process to take the data from that file and ship it off to another server. If not, what flags and/or snort.conf configuration would you recommend to get the most data possible but still be able to handle quite a bit of traffic? In the end of it all, these alerts will be shipped to a central server via a SSH tunnel. I'm trying to stay away from databases and would like to get the type of output you get when you add the –v flag and log to the console. However I don’t want it for all traffic, just the alerts. Thanks in advance for any help.
Greetings Eric, Barnyard 2-1.10 has the ability to send full packet over syslog You can get it from there https://github.com/firnsy/barnyard2/tree/pre-stable You could reach your objective by using the following configuration line (adjust it for your setup) # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete or # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol tcp, port 514, operation_mode complete -elz ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort/Banyard2 Logging Eric Luellen (Jul 13)
- Re: Snort/Banyard2 Logging beenph (Jul 13)
- Re: Snort/Banyard2 Logging Eric Luellen (Jul 17)
- Re: Snort/Banyard2 Logging beenph (Jul 17)
- Re: Snort/Banyard2 Logging Eric Luellen (Jul 17)
- Re: Snort/Banyard2 Logging beenph (Jul 13)