Snort mailing list archives
Barnyard, ACID output
From: a.h.s. boy <spud () nothingness org>
Date: Thu, 17 Jan 2002 11:12:44 -0500
I recently installed barnyard to handle the various Snort output formats, but the documentation is a bit weak on a few points, so I've had to do some trial-and-error work.
1) Is the Unified log/alert format the only output I need to specify in snort.conf?
2) I have barnyard configured to use fast alert output, but the argument to the output wants a "filename", and though I have "output alert_fast", it creates a file called "fast.alert" (notice the name difference), and it seems to create it in whatever folder I execute the barnyard binary from. I tried entering a full pathname, but it didn't like that format.
3) I have barnyard also set to use syslog output, and that works well. Then I use logcheck to email me hourly reports on snort-related traffic from syslog.
4) I have ACID output configured to go to a MySQL database. The output arguments are described vaguely in the .conf file, but one example in the file includes "detail full", though that isn't explained as a parameter to the output command. What is that specifying?
5) My ACID database is receiving input from barnyard, but ALL the IP addresses are backwards! Instead of "64.129.103.189", it lists the source address as "189.103.129.64". What's up with that?
6) The ACID database no longer contains the packet information like my old configuration (straight from snort to ACID). Is this a deficiency of the Unified format logs?
7) What's the best startup configuration for snort to accomplish what I'm doing? The command line execution call vs. snort.conf vs. barnyard.conf relationship is very poorly documented, so it's hard to figure out where/how to specify what. I currently have:
daemon /usr/sbin/snort -u snort -g snort -l /var/log/snort -d -D \
-i $INTERFACE -c /etc/snort/snort.conf
in my snortd startup, and
/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d
/var/log/snort \
-w /var/log/snort/alert.offset -g /etc/snort/gen-msg.map -s
/etc/snort/sid-msg.map -f \ snort.alert &
for barnyard. Actually, how are most people getting barnyard to launch? It doesn't seem to create its own startup file, so I just hacked one together from my paltry understanding of init.d scripts.
Answers to any of these queries would educate me just that much more... Cheers, spud. ------------------------------------------------------------------- a.h.s. boy spud () nothingness org "as yes is to if,love is to yes" http://www.nothingness.org/ PGP Fingerprint: 7B5B 2E7A FA96 865A D9D9 5D6D 54CD D2C1 3429 56B4 ------------------------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard, ACID output a . h . s . boy (Jan 17)
- <Possible follow-ups>
- RE: Barnyard, ACID output Steve Halligan (Jan 17)
- RE: Barnyard, ACID output Steve Halligan (Jan 17)