Snort mailing list archives
Re: snort 2.9.6.2 unified2
From: John Hally <JHally () EBSCO COM>
Date: Tue, 23 Sep 2014 09:41:07 +0000
Thanks Sharif, That line is there, just a type-o: config archivedir: /var/log/barnyard2/archive config process_new_records_only input unified2 output database: log, mysql, user=snort password=###### dbname=###### host=####.####.com Should have been: config archivedir: /var/log/barnyard2/archive config process_new_records_only input unified2 output database: log, mysql, user=snort password=###### dbname=###### host=####.####.com I’ve also verified that I can connect to mysql from the snort system using the credentials, view tables, etc. I can also manually run barnyard2 in batch mode and process individual files. Thanks, John. On 9/23/14, 5:32 AM, "Sharif Uddin" <Sharif.Uddin () spectrumasa com> wrote:
In barnyard add output database: log, mysql, user=root password=*** dbname=snorby host=localhost make sure mysql is started. In snort config change the logfile name output unified2: filename snort.u2, limit 128 start barnyard2 after you have started snort with barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /tmp/barnyard2.waldo -----Original Message----- From: John Hally [mailto:JHally () EBSCO COM] Sent: 23 September 2014 10:24 To: Shirkdog Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort 2.9.6.2 unified2 Hi Michael, Barnyard config: config reference_file: /etc/snort/etc/reference.config config classification_file: /etc/snort/etc/classification.config config gen_file: /etc/snort/etc/gen-msg.map config sid_file: /etc/snort/etc/sid-msg.map config daemon config logdir: /var/log/snort config hostname: snort1 config interface: eth1 config alert_with_interface_name config waldo_file: /tmp/barnyard2.waldo config reference_net: 10.0.0.0/8 config archivedir: /var/log/barnyard2/archive config process_new_records_only input unified2 output database: log, mysql, user=snort password=###### dbname=###### host=####.####.com Relavent snort config: config logdir: /var/log/snort output unified2: filename snort.log, limit 128, nostamp Startup of barnyard2: /usr/local/bin/barnyard2 -u snort -g snort -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -w /var/log/barnyard2/barnyard2.waldo Startup of snort: /usr/local/bin/snort -D -i eth1 -u snort -g snort -c /etc/snort/etc/snort.conf Thanks for the help! John. On 9/22/14, 9:40 PM, "Shirkdog" <shirkdog () gmail com> wrote:Now we need your barnyard config to show that it is reading unified2 format. If your barnyard is 2.1-13 BETA (current git checkout), you should have this in your conf file # this is not hard, only unified2 is supported ;) input unified2 --- Michael Shirk On Mon, Sep 22, 2014 at 9:18 PM, John Hally <JHally () ebsco com> wrote:Hi All, I¹m having an issue that I just cant figure out. I¹m trying to combine alerts and logs in uniified2 format which I have the following in my snort.conf file: output unified2: filename snort.log, limit 128, nostamp The issue is when I try to get barnyard2 to process the file. It seems that if I run snort like the following, barnyard2 reports that its waiting for a spool file: /usr/local/bin/snort -D -i eth1 -u snort -g snort -c /etc/snort/etc/snort.conf And barnyard2 never finds the snort.log file that is created. BUT if I run snort this way: /usr/local/bin/snort -A full -D -i eth1 -u snort -g snort c /etc/snort/etc/snort.conf barnyard2 finds the snort.log.##### filename that gets created, but I think the file format isnt correct. Sorry if this is more of a barnyard2 issue than snort Thanks! John ---------------------------------------------------------------------- --- ----- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. clk trk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!----------------------------------------------------------------------- --- ---- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.c lkt rk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-------------------------------------------------------------------------- ---- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt rk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort 2.9.6.2 unified2 John Hally (Sep 22)
- Re: snort 2.9.6.2 unified2 Shirkdog (Sep 22)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Shirkdog (Sep 22)