RE: Program that reads unified log format natively

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

This gets into one of the fundamental problems that I've had with barnyard in the first place.  Today, we use snort to 
log directly to libpcap-format files locally and send the data across the net to the DB server.  As I understand it, in 
order to have the same two functions (i.e. being able to use any libpcap-based tool to read the local files and data 
aggregation via the DB), I end up having to have nearly duplicate log files on my sensors, one in unified format that 
is then read and converted into libpcap.

I understand the Snort Team's motiviation behind externalizing the log processing, but by choosing a proprietary format 
for the first pass, they've either doubled the amount of disk space I need for logs or made a feature that I won't use.

Jon

-----Original Message-----
From: Jochen Vogel [mailto:jvogel () it-sec de]
Sent: Thursday, October 23, 2003 2:24 AM
To: 'lists () venom600 org'; snort-users () lists sourceforge net
Subject: AW: [Snort-users] Program that reads unified log format
natively


hi ben,

use barnyard and log in a file instead the database
to see what the unified logs really write.

i dont know if mudpit can write into files



> -----Ursprüngliche Nachricht-----
> Von: Ben Nelson [mailto:lists () venom600 org]
> Gesendet: Mittwoch, 22. Oktober 2003 03:39
> An: snort-users () lists sourceforge net
> Betreff: [Snort-users] Program that reads unified log format natively
>
>
> I'm looking for a program that will read Snort unified log 
> format files 
> natively and spit out (to STDOUT preferrably) tcpdump-like 
> information 
> gleaned from these files.  Anybody seen anything like that?
>
> I'm using '-e' to log link layer characteristics of alert packets and 
> this information doesn't seem to make it into my snort database after 
> mudpit gets through parsing the unified log files.  I rarely 
> need this 
> information, but if I could go back and use a program like I 
> described 
> to parse my archived unified log files to find link layer information 
> after the fact, that would be very useful to me.
>
> Thanks,
> --Ben
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN developer relations
> Here's your chance to show off your extensive product knowledge
> We want to know what you know. Tell us and you have a chance 
> to win $100
> http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users