Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Barnyard Options Help Needed!

From: "Chris Eidem" <ceidem () Dexma com>
Date: Fri, 20 Dec 2002 08:27:18 -0600

First, Snort creates two unified files; an alert and a log file.   
 However, when I tell Barnyard to use the alert file (with -f), the 
packet data is not sent to the database.   If I tell Barnyard 
to use the 
log file, nothing gets sent to the database.   The output 
plugin used is 
alert_acid_db, with the "detail full" setting.  How do I tell 
Barnyard 
to send alerts with full packet data to the database?

Secondly, I can't seem to figure how to get any of the other output 
plugins to work.   I want to use alert_fast and log_pcap, but 
the files 
are not being created.   I've tried starting Barnyard with "-L 
/var/log/snort" but this seems to do nothing.  I tried putting a 
filename after the "output alert_fast" in the conf file, but then it 
complains that it doesn't know about this plugin.   What am I 
doing wrong?



you could help us help you by sending your command lines and
barnyard.conf files.

hint, barnyard only processes one unified log file, so if you want to
look at both the alerts and the log, you need to run two instances of
barnyard, each with a different .conf file.

example (assuming that you are running snort to output to unified):

command lines:
barnyard -c barnyard-log.conf -f snort.log <rest of options>
barnyard -c barnyard-alert.conf -f snort.alert <rest of options>

barnyard-log.conf:
config hostname: snortbox
config interface: eth0
config filter: not port 22
processor dp_alert
processor db_log
processor db_stream_stat
output log_pcap
output log_acid_db: mysql, sensor_id 1, database snort, server
localhost, user snort, password snort

barnyard-log.conf:
config hostname: snortbox
config interface: eth0
config filter: not port 22
processor dp_alert
processor db_log
processor db_stream_stat
output alert_fast

remember, if you are asking for help, give information.  i haven't been
able to get libmindread.so to compile for years...

 - chris


-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: