RE: output options in barnyard

[Steve Halligan <giermo () geeksquad com>]

Damn, I just figured it out...
Alert_fast is an ALERT plugin.  If you don't have barnyard processing the
unified ALERT file you will get no alerts sent to alert_fast.

Is there any way to get a single instance of Barnyard to process snort.alert
and snort.log files?
the -f switch is where you specify the input filename, can you call -f
twice?
barnyard -d /var/log/snort -f snort.log -f snort.alert -L /var/log/barnyard
-c /etc/barnyard/barnyard.conf

Like that?

-steve
 
> > Chris Eidem wrote:
> > > I'm all confused, in barnyard.conf, alert_fast and log_pcap take an
> > > filename as an argument, but docs/USAGE states they do not.  I'm
> > > assuming that they don't since barnyard complains mightily 
> > if they're
> > > there.  Ok, so I don't add a file name, but then, what is 
> > written where?
> > > I've looked in ./, /var/log, /var/log/snort, but no joy.
> >
> >
> > The conf file is correct in this case.  What error is it 
> > giving when you 
> > specify a filename?
>
> andrew,
>
> here's the output from reload of the .conf file (shown bottom):
>
> root@cubanelle /usr/local/snort-beta$ kill -HUP 27669       
> AcidDbOpStop
> Reloading configuration
> Loading Data Processors...
> dp_alert loaded
> dp_log loaded
> root@cubanelle /usr/local/snort-beta$ dp_stream_stat loaded
> Loading Built-in Output Plugins...
> Fast Alert plugin initialized
> AlertSyslog initialized
> Log Dump plugin initialized
> LogPcap initialized
> AcidDb output plugin initialized
> AlertCSV initialized
> Parsing Config file: by-xl1.conf
> WARNING by-xl1.conf(8) => Unknown output plugin "alert_fast alert-xl1"
> referenced, ignoring!Args: mysql, sensor_id 1, database stest, server
> localhost, user snort, detail full, password snort
> WARNING ./classification.config(95): Duplicate classification
> "not-suspicious"found, ignoring this line
>
> ...
> [similar './classification.config(X):' warnings deleted for brevity ]
> ...
>
> Barnyard Version 0.1.0-rc2 (Build 11) started
> AcidDbOpStart
> OpAcidDB configuration details
> Database Flavour: mysql
> Detail Level: Full
> Database Server: localhost
> Database User: snort
> SensorID: 1
> AcidDbOpStart Complete
>
>
>
> barnyard.conf
> ------------
> config hostname: cubanelle
> config localtime
> config interface: xl1
> config filter: not port 22
> processor dp_alert
> processor dp_log
> processor dp_stream_stat
> output alert_fast alert-xl1
> output log_pcap 
> # output alert_acid_db: mysql, sensor_id 1, database stest, server
> localhost, user snort, password snort
> output log_acid_db: mysql, sensor_id 1, database stest, server
> localhost, user snort, detail full, password xxxxxxxxx
>
> thanks for your help,
> - chris
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code1
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users