Another Barnyard Question

["Lance Boon" <lboon () firststatebanksw com>]

I'm trying to get barnyard-0.2.0.tar.gz setup and running on my remote
sensors logging to a centralized MySql database. I've got the Snort 2.0
Intrusion Detection book and reading through it on page 431 it says that
"Some recent additions to the barnyard.conf file will allow us to
actually run Barnyard without the -g and -s switches. These files can be
preconfigured within the "configuration declarations" section of the
barnyard.conf file. "
For example: 
config generator-map: gen-msg.map 
config signature-map: sid-msg.map
However when I try to add them I get:

[root@IDS1 barnyard]# /etc/barnyard/bin/barnyard -c
/etc/barnyard/barnyard.conf -d /var/log/snort -f snort.log -w
/var/log/snort/waldo
Barnyard Version 0.2.0 (Build 32)
Unrecognized config directive: 'generator-map: /etc/snort/gen-msg.map'
Unrecognized config directive: 'signature-map: /etc/snort/sid-msg.map'
ERROR => Unable to open SID file "/etc/barnyard/sid-msg.map": No such
file or directory
ERROR => Unable to open Generator file "/etc/barnyard/gen-msg.map": No
such file or directory
ERROR => Unable to open Classification file
"/etc/barnyard/classification.config": No such file or directory
Waiting for new spool file

If I copy the gen-msg.map, sid-msg.map and classification.config files
to my /etc/barnyard directory, barnyard will start without errors. But
when I look at my acid webpage I see the following:

[snort] Snort Alert [119:13:0]        unclassified        3 (0%)
1        1        1        2004-06-25 15:40:31        2004-06-25
15:40:31     

I'd really rather not have 2 gen-msg.map, sid-msg.map and
classification.config files in 2 different directories. Does anybody
have a good; hey newbie here's how it's done type of guide? 

System is RH FC1, snort is Version 2.1.3 (Build 27)

Snort.conf
# Step #3: Configure output plugins

output alert_unified: filename /var/log/snort/snort.alert, limit 128
output log_unified: filename /var/log/snort/snort.log, limit 128

Barnyard.conf

Standard except for the following entries:

# Step 1: configuration declarations
# To keep from having a commandline that uses every letter in the
alphabet
# most configuration options are set here

config generator-map: /etc/snort/gen-msg.map
config signature-map: /etc/snort/sid-msg.map

# set the hostname (currently only used for the acid db output plugin)
config hostname: WORSEN1

# set the interface name (currently only used for the acid db output
plugin)
config interface: eth0

output log_acid_db: mysql, sensor_id WORSEN1, database snort, server
x.x.x.x, user snort, password password, detail full

Can anyone see anything I'm doing wrong or offer any suggestions would
be greatly appreciated.


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users