Snort mailing list archives

Re: Re: Acid Snort Barnyard Payload

From: Alwin Raymundo <alrayworld () yahoo com>
Date: Tue, 11 Mar 2003 07:06:23 -0800 (PST)

Hi Kevin,

I'm glad you response to this email.  Now I double
check my configuration compared to what you suggested.

My findings is we have the same setup.

I was thinking maybe the way I started snort and
barnyard.

I started my snort with this option

snort -i eth1 -c /etc/snort/snort.conf -D

and I started my barnyard with this option

barnyard  -c /etc/snort/barnyard.conf \
    -d /var/log/snort -g /etc/snort/gen-msg.map \
    -s /etc/snort/sid-msg.map -f snort.log -w waldo

but still I did not get any payload on my Acid.

I really appreciated that you respond to my email

Thanks



--- Kevin Peuhkurinen <kevin.peuhkurinen () hepcoe com>
wrote:

 > When I tried to view the payload on acid, It say
none


I had the same problem.   In order for Barnyard to
pass the packet data, 
it has to be working on the logs rather than the
alerts.  So,

1) make sure that "output_log_unified" is set in
snort.conf
2) make sure that "processor dp_log" is set in
barnyard.conf
3) enable "output log_acid_db" in barnyard.conf and
do NOT enable 
"output alert_acid_db".
4) start barnyard with the "-f" option pointing to
the base name of your 
log files.  In my case, this is "snort.log"

That should do it.

Kevin

-------------------------------------------------------

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
Alwin Raymundo

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Acid Snort Barnyard Payload Alwin Raymundo (Mar 08)
- <Possible follow-ups>
- Re: Acid Snort Barnyard Payload Kevin Peuhkurinen (Mar 10)
  - Re: Re: Acid Snort Barnyard Payload Alwin Raymundo (Mar 11)