Snort mailing list archives

RE: No detail or contents in acid and barnyard

From: "Nelson, Ben" <bnelson () rightnow com>
Date: Thu, 5 Jun 2003 09:44:11 -0600
Check out mudpit : http://www.fidelissec.com/mudpit.html

This is what I ended up using on my remote sensors to log alert details AND data to a remote database.  It's been 
working pretty solidly for about a week now.  I'm still very much in the testing phase, but so far it's been great.

--Ben

-----Original Message-----
From: Russell Fulton [mailto:r.fulton () auckland ac nz]
Sent: Wednesday, June 04, 2003 10:52 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] No detail or contents in acid and barnyard


Greetings All,
            I am running snort 2.0 with the unified output plugin (see appended
config file) and using barnyard (see command line and conf file
appended).  

Data is being logged to the database and displayed by acid but I get no
details (i.e. no IP header fields except addresses nor tcp fields except
port numbers) and no packet contents.

I have tried various strategies with running barnyard to handle both the
alert and log file:
      * -d log_dir -f snort.alert -f snort.log  and both outputs enabled
        in the conf file.  This does not produce any errors.
      * two processors one for the log and one for the alert, log
        process always seems to exit (no errors printed).

Clearly I am missing something can someone please take the time to look
the configs and try and spot the problem.

[ I have searched the archive and found several references to this
problem but no real solutions when I get this fixed I'll write an answer
for the FAQ!]

Thanks!  Russell

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

snort command line

snort -c unified.rules -D -g snort -i xl0 -l /home/snort/LOGS/DMZ-O/barnyard/ -m 2 -o -U -u snort -X 

snort.conf...

var HOME_NET [xxxxx]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12\.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /home/snort/Rules/current
preprocessor frag2
preprocessor stream4 : disable_evasion_alerts, ttl_limit 5
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_sla\sh full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
                                                                                
output alert_unified: filename snort.alert, limit 50
output log_unified: filename snort.log, limit 50
                                                                                
include  $RULE_PATH/classification.config
include  $RULE_PATH/reference.config
                                                                                
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
.......
----------------------------------------------------------------------
Barnyard command line:

barnyard -c config/barnyard.alert -d LOGS/DMZ-O/barnyard/ -f snort.alert -f snort.log
                                                                               
Barnyard.conf

config hostname:xxxx
 
config interface: xl0
 
config filter: not port 22
  
processor dp_alert
 
processor dp_log
 
processor dp_stream_stat
 
output alert_acid_db: mysql, sensor_id 1, database snort, server xxxxx.auckland.ac.nz, user snort, password xxxxx
 
output log_acid_db: mysql, sensor_id 1, database snort, server xxxxx.auckland.ac.nz, user snort, password xxxxx




-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

No detail or contents in acid and barnyard Russell Fulton (Jun 04)
- Re: No detail or contents in acid and barnyard Bamm Visscher (Jun 05)
- <Possible follow-ups>
- RE: No detail or contents in acid and barnyard Nelson, Ben (Jun 05)