Snort mailing list archives

Re: Barnyard woes

From: "Andrew R. Baker" <andrewb () snort org>
Date: Tue, 18 Feb 2003 22:16:50 -0500

Joerg Weber wrote:
 >
 > Here's my problem:
 > 1) I'd like to use SnortCenter to maintain my sensors. SnortCenter adds
 > the unified_plugin like this:
 > output log_unified: filename snort-unified, limit 500
 > but no alert_unified:
 > Should I add this by hand via a preprocessor?

If you are only using the database output, you do not need to the
unified alert file.  All of the alert data should be in the unified log
file.

 > 2) Snort's running fine and happily logging into
 > /var/log/snort/snort-unified.
 > Now I'm setting up my barnyard.conf like
 > config hostname: Inhouse
 > config interface: eth1
 > processor dp_alert
 > processor dp_log
 > processor dp_stream_stat
 > output log_acid_db: mysql, sensor_id 7, database snort, server [ip],
 > user [user], password [root]
 >
 > Now I'm starting barnyard like
 > barnyard -c /root/barnyard-0.1.0-beta5/etc/barnyard.conf -f
 > /var/log/snort/snort-unified -w /var/log/snort/waldo
 > And the result looks like
 > Skipping tagged packet 1389
 > Skipping tagged packet 1392
 > Skipping tagged packet 1394
 > Skipping tagged packet 1396
 > Skipping tagged packet 1398
 > [and on and on and on...]
 > What's up with that?

First off, I would recommend upgrading to the actual 0.1.0 release
version of Barnyard, it fixes several bugs.  The messages you are seeing
is an attempt to not process tagged packets.  As can be seen from
comments in the released code, it does not work (and is disabled).


 > 3) Same happens when I try to run barnyard with the -f
 > /var/log/snort/scan.log

Uh, Barnyard should not be able to read scan.log.  It is probably
ignoring the -f on the command line and using the info from the waldo file.


 > 4) The reason I'm running into this is my dislike of running two
 > instances of barnyard, one for log, one for alert. Isn't there a more
 > clever way to do things?

Depends what you want.  As I said before, for just database, processing
only the unified log is ok.  If you want syslog and/or alert_fast too
output, then you will need to run two instances of Barnyard.


-A





-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Barnyard woes Joerg Weber (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 18)
  - Re: Barnyard woes Paul Schmehl (Feb 18)
- Re: Barnyard woes Andrew R. Baker (Feb 18)
  - Re: Barnyard woes Ken Gunderson (Feb 19)
    - Re: Barnyard woes Andrew R. Baker (Feb 19)
    - Re: Barnyard woes Ken Gunderson (Feb 19)
    - Help! Very wierd traffic. Yonah Russ (Feb 19)
    - Re: Help! Very wierd traffic. Matt Kettler (Feb 19)
    - Re: Help! Very wierd traffic. Yonah Russ (Feb 19)
    - Re: Help! Very wierd traffic. Frank Knobbe (Feb 19)