Snort mailing list archives
barnyard
From: James Ashton <admin () gitflorida com>
Date: Mon, 10 Jun 2002 01:01:07 -0400
Im Back I am attempting to get barnyard working. I am running: ./barnyard -o -c /etc/snort/barnyard -d /var/log/snort -f snort.alert.17326~ Here is the screan outpur I get: Loading Data Processors... dp_alert loaded dp_log loaded dp_stream_stat loaded Loading Built-in Output Plugins... Fast Alert plugin initialized AlertSyslog initialized Log Dump plugin initialized LogPcap initialized AlertCSV initialized Parsing Config file: /etc/snort/barnyard.conf WARNING /etc/snort/barnyard.conf(153) => Unknown output plugin "alert_acid_db" referenced, ignoring!ERROR => Unable to open SID file "/etc/snort/sid-msg.map": No such file or directory Barnyard Version 0.1.0-beta7 (Build 10) started Number of records: 56 Exiting Here is Barnyard.conf #------------------------------------------------------------- # http://www.snort.org Barnyard 0.1.0 configuration file # Contact: snort-barnyard () lists sourceforge net #------------------------------------------------------------- # $Id: barnyard.conf,v 1.17 2002/05/27 15:06:10 andrewb Exp $ ######################################################## # Currently you want to do two things in here: turn on # available data processors and turn on output plugins. # The data processors (dp's) and output plugin's (op's) # automatically associate with each other by type and # are automatically selected at run time depending on # the type of file you try to load. ######################################################## # Step 0: configuration declarations # To keep from having a commandline that uses every letter in the alphabet # most configuration options are set here # enable daemon mode # config daemon # use localtime instead of UTC (*not* recommended because of timewarps) #config localtime # set the hostname (currently only used for the acid db output plugin) config hostname: snorthost # set the interface name (currently only used for the acid db output plugin) config interface: lo # set the filter (currently only used for the acid db output plugin) config filter: not port 22 # Step 1: setup the data processors # dp_alert # -------------------------- # The dp_alert data processor is capable of reading the alert (event) format # generated by Snort's spo_unified plug-in. It is used with output plug-ins # that support the "alert" input type. This plug-in takes no arguments. processor dp_alert # dp_log # --------------------------- # The dp_log data processor is capable of reading the log format generated # by Snort's spo_unified plug-in. It is used with output plug-ins # that support the "log" input type. This plug-in takes no arguments. processor dp_log #----------------------------- # Converts data from the dp_log plugin into standard pcap format # Argument: <filename> #output log_pcap # acid_db #------------------------------- # Available as both a log and alert output plugin. Used to output data into # the db schema used by ACID # Arguments: # $db_flavor - what flavor of database (ie, mysql) # sensor_id $sensor_id - integer sensor id to insert data as # database $database - name of the database # server $server - server the database is located on # user $user - username to connect to the database as # password $password - password for database authentication output alert_acid_db: mysql, sensor_id 1, database snort2, server localhost, user snort, password snort # output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, detail full # dport_icode - dest port or ICMP code (or 0) # dport - dest port # icode - ICMP code (if ICMP) # proto - protocol number # protoname - protocol name # flags - flags from UnifiedAlertRecord # msg - message text # # Examples: # output alert_csv: /var/log/snort/csv.out # output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode # output alert_csv: csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode # alert_syslog #----------------------------- # Converts data from the alert stream into an approximation of Snort's # syslog alert output plugin. Same arguments as the output plugin in snort. #output alert_syslog # log_pcap #----------------------------- # Converts data from the dp_log plugin into standard pcap format # Argument: <filename> #output log_pcap # acid_db #------------------------------- # Available as both a log and alert output plugin. Used to output data into # the db schema used by ACID # Arguments: # $db_flavor - what flavor of database (ie, mysql) # sensor_id $sensor_id - integer sensor id to insert data as # database $database - name of the database # server $server - server the database is located on # user $user - username to connect to the database as # password $password - password for database authentication output alert_acid_db: mysql, sensor_id 1, database snort2, server localhost, user snort, password snort # output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, detail full I have added gen-msg.map to the /etc/snort directory but I dont know where to get sid-msg.map and why am I having the problem with alert_acid_db?? I have been watching traffic patterns and think that my speed problem is in the DB writing. I think that barnyard will solve some of that. If I can get it to work. Thanks in advance. All the previous help has been appreciated. _______________________________ James Ashton Network Admin / Chief of client monitoring Global Internet Tech, Inc 13840 Osprey Links Dr, #219 Orlando Fl, 32837 407-859-5218 _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- barnyard James Ashton (Jun 09)