RE: Question about Snort/ACID/MySQL + Barnyard and how they play together

[Matt Yackley <Matt.Yackley () perkinswill com>]

 Hi guys,
I hate to muddy the water, but I'm sitting here working on getting Snort,
ACID, MySQL & barnyard working and I'm now wondering about how barnyard will
affect this mix.  I was running Snort logging to a local MySQL database with
the output_log option.  Now I'm working on using barnyard to pass the data
off to a remote MySQL server and have switched snort to the unified file
output.

So the database output_log does catch both alerts & logs which it *should*
do according to Marty's post.  What is the behavior of the unified output
log vs. alert?  If I want logging and alerts do I need to run both of the
unified outputs and then run both files through barnyard's database output?
Or should the unified output_log work like the database output_log and catch
both alerts & logging?

Now I think I'm just confusing myself even more...
Think I'll go back to ASCII logs :]

Matt


-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com] 
Sent: Friday, April 25, 2003 3:03 PM
To: 'Michael Steele'
Cc: Snort-Users (E-mail)

Michael, 

You are correct in you assessment that log-only to a database does not catch
'alerts' from the portscan preprocessors.  I seem to remember a thread or
two about the portscan preprocessors many months ago, and if I remember
correctly, it went something like this:  

> > > > >
The postscan preprocessors only generate output to the alert facility --
something to do with the non-standard output of the portscan preprocessors.
Therefore, 'output database log' will not catch portscan preprocessor
output; you need to use 'output database alert'.  
<<<<<

IMHO, a post from Marty Roesch provided the best explanation of Snort output
facilities [0].  I believe Erek's thought was that because an alert rule
will trigger output to both the log and alert facilities, directing both of
them to the same database would result in duplicate data.  I've not tested
this, but the logic seems true to me.  

Alert rules will generate output to the log facility *and* alert facility --
either facility can be directed to a database.  That is, 'output database
log' and 'output database alert', respectively.  

Log rules will only generate output to the log facility -- it too can be
directed to a database.  Therefore, 'output database alert' will not catch
log rules; you need to use 'output database log'.  

All of this discussion was prior to Snort 2.0, so I don't know if anything
has changed in recent days.  


HTH

- Christopher 

[0] http://www.theadamsfamily.net/~erek/snort/logging_methods.txt  


-----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Friday, April 25, 2003 2:39 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Question about Snort/ACID/MySQL and how they
play together


All,

This was a conversation that I was having with Erek on the difference
between log and alert. It seems that Erek in indisposed as there have
been no posts from him :(, so I'll throw it out to the masses and maybe
I someone can enlighten me?

This is an excerpt from a previous message from Erek. His response seems
to contradict my tests. Could my testing skewed in some way?

----------\
Alert only does alert whereas log does alert and log.  It's confusing
since there are both named the same, but seem to have different meanings
in the db plug-in.  Remember how you need to have 'log' to get output
from the portscan(2)  preprocessor into ACID?
----------/

Ok, I have tested three settings and this is what I have come up with:

I cleaned out the log folder prior to each test and restarted Snort at
the appropriate times to get the IDS back up and fully functioning.

Test 1) Using 'output database alert' and 'output database log' in my
snort.conf file. Then I ran a scan on the IDS.

Result of scan: Logged all traffic including portscans to MySQL.

In the log folder: Only portscan.log created.

Test 2) Using the 'output database log' only in my snort.conf file. Then
I ran a scan on the IDS.

Result of scan: Logged all traffic except portscans to MySQL.

In the log folder: Only portscan.log created.

Test 3) Using the 'output database alert' only in my snort.conf file.
Then I ran a scan on the IDS.

Result of scan: Logged all traffic including portscans to MySQL.

In the log folder: Portscan.log was created along with folders with an
IP as folder name with logs inside each folder.

Out of all three tests, no /log/alert.ids file created.

Test 1 logs everything to MySQL, including creating the portscan.log
file, but no log file was created by alerts that were triggered by
rules.

Test 2 is not an option if you want to log portscans to the MySQL
database.

Test 3 logs everything to MySQL, including creating the portscan.log
file, and it also creates logs in /log/<IP>/ from alerts that were
triggered by rules.

What is the difference between Test 1 and Test 2 as far as the end
results?

Are they both doing the exact same thing except Test 3 is creating the
log files?

I thought I had this all down, but for some reason it's not clicking. It
looks like what Erek told me contradicts what my test are coming up
with.

Thank you...

Michael





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users