barnyard, alerts, logs and acid

[Andreas Hasenack <andreas () conectiva com br>]

-*> Snort! <*-
Version 1.8.7 (Build 128)

-*> Barnyard! <*-
Version 0.1.0-rc2 (Build 11)

acid-0.9.6b22 from cvs (yesterday)

Acid isn't showing any alerts picked up and inserted by barnyard.

I have that version of snort using:
output alert_unified: filename snort.unified.alert, limit 64
output log_unified: filename snort.unified.log, limit 64

barnyard.conf has:
config hostname: myhost.localnet
config interface: eth0
processor dp_alert
processor dp_log
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password mypass, detail full
output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password mypass, detail full

Now, the command-line:
barnyard -c /etc/snort/barnyard.conf -d /var/log/snort/barnyard/ -s /etc/snort/sid-msg.map -f snort.unified.alert

Which bunch of files should be processed first? alert or log? Should there be two
instances of barnyard?
Doesn't log include alert? What happened is that barnyard inserted lots of data
into acid, but acid wouldn't show it. The main page showed some percentages regarding
tcp, udp and icmp, but it didn't actually had any alerts. All searches and queries
would end up with zero alerts in the database.

Any tips would be appreciated.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users