Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: barnyard (Payload)

From: Bamm Visscher <bamm () satx rr com>
Date: 15 Oct 2002 08:34:07 -0500
Alwin,

In order to get payload data into you acid/mysql db you need to change
this line:

output alert_acid_db: mysql, sensor_id 1, database
snort, server localhost, user usnort, passsword loghog

to

output log_acid_db: mysql, sensor_id 1, database
snort, server localhost, user usnort, password loghog

The explanation: The acid_db plugin can either be used to insert either
type of unified data (log or alert) into the DB. Alert_unified contains
only pertinent alert info (srcip, dstip, srcport, dstport, timestamp,
proto, alert msg, etc) and NO packet data. Log_unified contains the
alert info plus the actual packet in unified format. By choosing
alert_acid_db you are choosing only to insert the alert info, no matter
which type of unified file you are reading. The downside of using
log_acid_db is that alerts that don't have an associated packet (like
PORTSCAN alerts) will no longer be loaded into the DB.

I am not sure what the error you are getting means. Possibly a corrupted
spool file? Can you post the args you are using to start BY?

Bammkkkkk


On Tue, 2002-10-15 at 08:05, Alwin Raymundo wrote:

Hi Bamm,

Thanks for your help.  I have a few question for you
if you dont mind.

1. where I can find this op_acid_db?

I follow what you have stated below
in snort.conf
output log_unified: filename snort.log, limit 128

in my barnyard.conf
config hostname: snorthost
config interface: fxp0
config filter: not port 22
processor dp_alert
processor dp_log
processor dp_stream_stat
output alert_fast
output log_dump
output alert_acid_db: mysql, sensor_id 1, database
snort, server localhost, user usnort, password loghog

When I ran BY I got this error messages

-*> Barnyard! <*-
Version 0.1.0-rc3 (Build 11)
By Andrew R. Baker (andrewb () snort org)
and Martin Roesch (roesch () sourcefire com,
www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AcidDb output plugin initialized
AlertCSV initialized
Parsing Config file: /etc/snort/barnyard.conf
Args: mysql, sensor_id 1, database snort, server
localhost, user usnort, password loghog
WARNING: absolute path in -f <filename> is overriding
-d <spool_dir> setting.
WARNING: spool_dir set to "/var/log/snort"
Barnyard Version 0.1.0-rc3 (Build 11) started
ERROR => No input plugin found for magic: a1b2c3d4

what does it mean "no input plugin found for magic:
a1b2c3d4"

I search for this in the previous usenet but the
advice was to upgrade the barnyard and the rules but I
think I have the new one.

I'm new with barnyard. Thanks in Advance for your
help
--- Bamm Visscher <bamm () satx rr com> wrote:

I use a modified (different DB schema) op_acid_db
and it inserts
"payload" data. op_acid_db should also. Check to
make sure you are using
the log_unifed output plugin (alert_unified doesn't
log packet data).
When you run BY, make sure it is reading the
log_unified output (i.e. -f
snort.log). IIRC, BY cannot read log_unified and
alert_unified at the
same time. Finally, in your barnyard.conf, make sure
you use 'output
log_acid_db' (vice 'output alert_acid_db'.

Bammkkkk

On Tue, 2002-10-01 at 07:31, Ron Shuck wrote:

Hey Alwin,

I found the same results. I haven't heard if there

are plans to include

this, or if it should work and we just missed

something.



Ron Shuck, CISSP - Managing Consultant
Buchanan Associates - A Technology Company in the

People Business

http://www.buchanan.com
http://www.isc2.org


---original message---
Date: Mon, 30 Sep 2002 11:36:39 -0700 (PDT)
From: Alwin Raymundo <alrayworld () yahoo com>
To: user snort <snort-users () lists sourceforge net>
Subject: [Snort-users] barnyard (Payload)

Hi Everybody,

I don't know if this is already posted in previous
discussion and this morning I just setup the

barnyard.

 I like it because it fast to log all packets in

my

mysql and acid but I notice there is no payload.

Is this normal? is there in another way to get the
payload?.

Any help would be appreciated.

Thanks in advance.










-------------------------------------------------------

This sf.net email is sponsored by: DEDICATED SERVERS
only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your
own server 
today at http://www.ServePath.com/indexfm.htm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
Alwin Raymundo

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: