Snort mailing list archives

Previous By Date Next
Previous By Thread Next

barnyard processing of unified snort files

From: "Scott Renna" <srenna () d-a-s com>
Date: Thu, 3 Jul 2003 10:51:52 -0400
Hello all,

I have gotten everything running nice and smoothly with Snort and
Barnyard now, but I was wondering about Snort Unified Alert file names.
The files that I have are snort.alert.######
and snort.log.########.  According to Barnyard docs, these #s represent
the time in seconds since epoch.  Is there any way to actually set these
so that they output in date and time format that is a little more
humanly comprehensible?  The problem I'm running into when using
Barnyard with these files is that the output logs that barnyard spits
out, don't show the proper time, it's off by about 4 hours.  I have
checked my machine and its time is set properly.

Has anyone else seen something like this in alert_fast.log?:

My local time at this time was about 10:27am

07/03/03-14:27:29.216803 {TCP} 192.168.2.4:44890 -> 192.168.2.238:675
[**] [117:1:1] spp_portscan2: Portscan detected! [**]
[Classification: Unknown] [Priority: 0]

Also, while I'm emailing this off, I had a question in regards to
utilizing the -f switch for continuous processing.  The docs for
barnyard say to specify the spool so i'm running two barnyard processes
one with -f /var/log/snort/snort.alert and one with -f
/var/log/snort/snort.log in order to have it review both types of files.
Is this proper syntax or is there a better way?

Many thanks

Scott Renna

***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

*************************** 



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: