Snort mailing list archives

RE: barnyard, alerts, logs and acid

From: "Chris Eidem" <ceidem () Dexma com>
Date: Fri, 2 Aug 2002 10:57:29 -0500

-*> Snort! <*-
Version 1.8.7 (Build 128)

-*> Barnyard! <*-
Version 0.1.0-rc2 (Build 11)

acid-0.9.6b22 from cvs (yesterday)


so far so good.

Acid isn't showing any alerts picked up and inserted by barnyard.

I have that version of snort using:
output alert_unified: filename snort.unified.alert, limit 64
output log_unified: filename snort.unified.log, limit 64

barnyard.conf has:
config hostname: myhost.localnet
config interface: eth0
processor dp_alert
processor dp_log
output alert_acid_db: mysql, sensor_id 1, database snort, 
server localhost, user snort, password mypass, detail full
output log_acid_db: mysql, sensor_id 1, database snort, 
server localhost, user snort, password mypass, detail full


you don't really need both. it is my understanding that log_acid_db
contains all the infor that alert_acid_db has.

Now, the command-line:
barnyard -c /etc/snort/barnyard.conf -d 
/var/log/snort/barnyard/ -s /etc/snort/sid-msg.map -f 
snort.unified.alert

Which bunch of files should be processed first? alert or log? 
Should there be two
instances of barnyard?
Doesn't log include alert? What happened is that barnyard 
inserted lots of data
into acid, but acid wouldn't show it. The main page showed 
some percentages regarding
tcp, udp and icmp, but it didn't actually had any alerts. All 
searches and queries
would end up with zero alerts in the database.


it looks like your messages are there but they don't have a sensor id in
the database records.  do a "SELECT * FROM sensor;" and see if you have
any records.  if you don't, do a 

"insert into sensor values('1','test','doodle doodle dee','NULL',1,0);"

that should do it.


hope that helps,
 - chris


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

barnyard, alerts, logs and acid Andreas Hasenack (Aug 02)
- <Possible follow-ups>
- RE: barnyard, alerts, logs and acid Chris Eidem (Aug 02)
  - Re: barnyard, alerts, logs and acid Andreas Hasenack (Aug 02)
- RE: barnyard, alerts, logs and acid snort-users (Aug 05)