Re: Snortsam patch for 2.9.3.1

[waldo kitty <wkitty42 () windstream net>]

On 11/19/2012 17:11, Jeremy Hoel wrote:
> There are output files in the snort.conf to generate those..

i know there are entries in the snort.conf for them but none of them are enabled...

> and if its not snort.conf there's another system file in play giving you
> those outputs.  Maybe under /etc/default or /etc/sysconfig.

not on this closed system... none of that "fancy schmansy" stuff exists... there 
is only snort.conf and snort's internal defaults...

> The reason I say this is because it is possible to turn them off so the
> only output is a unified2 binary file, but its all completely configurable.

true... i'm just not (1) sure which ones are defaults and (2) what will be 
affected by enabling other settings in the snort.conf which are currently 
disabled...

NOTE: that we still support snort 2.8.6.1 as well as newer versions... /none/ of 
them have any output processors defined in the snort.conf... only the default 
snort ones are used...

FWIW: it was a while before we found out that the snort.log.xxxxxxxxxx ones were 
pcap files... and then it took joel to tell us when we sent him one to try to 
figure out what was recorded in it while we were trying to work on some snort 
rules... we knew the data we needed was in the file but there was nothing in the 
startup of snort that was logged that stated what output processors were being 
used...

> On Nov 19, 2012 2:04 PM, "waldo kitty" <wkitty42 () windstream net
> <mailto:wkitty42 () windstream net>> wrote:
>
>     On 11/19/2012 16:38, Jeremy Hoel wrote:
>      > And the answer to your question is yes.  You can still leave the snort.conf
>      > output to write to the text alert files and also add the unified2 file
>     and let
>      > barnyard2 work on that and migrate over to a new front end over time.
>
>     that's what i was thinking/hoping... i also just want to clarify the files i'm
>     speaking of...
>
>     1. there is only one alert file that is ascii text... this file builds over time
>     until some external process removes it...
>
>     2. the snort.log.xxxxxxxxxx files are pcap files where snort has saved the
>     packet(s) that make up an alert... there's one file used for each run of
>     snort... if you run snort 4 times in a period, there will be 4 of these files...
>
>     3. there are /no/ output plugins defined in the snort.conf... the above
>     mentioned output files are defaults that snort uses automatically unless they
>     are overridden (i guess)...
>
>
>
>      >
>      > On Nov 19, 2012 9:53 AM, "waldo kitty" <wkitty42 () windstream net
>     <mailto:wkitty42 () windstream net>
>      > <mailto:wkitty42 () windstream net <mailto:wkitty42 () windstream net>>> wrote:
>      >
>      >     On 11/19/2012 12:34, Joel Esler wrote:
>      > > All output methods are available there.  Leaving Snort to do its job as
>      >     an IDS.
>      >
>      >     i love bikinis! they're short and to the point ;) OB-) [/DOM]
>      >
>      >
>      >     but seriously... other than analysis of the alert file and possibly
>     looking at
>      >     the packets saved in the snort.log.xxxxxxxxxx files, what benefits
>     are there for
>      >     these small systems?
>      >
>      >     you still need some kind of "front end" right?
>      >
>      >     can barnyard2 be added without loosing or changing what is already
>     available in
>      >     the existing alert and snort.log.xxxxxxxxxx files? hopefully the
>     answer is "yes"
>      >     so that existing practice can still be used while BY2 is being
>     incorporated and
>      >     learned (based on the real benefits it may offer)...


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!