Snort mailing list archives
AW: Barnyard & SnortAlog
From: "Povel, Michael" <Michael.Povel () umusic com>
Date: Thu, 6 May 2004 16:02:31 +0200
Sorry, I had a duplicated line in my patch. Please remove the first + protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp, cu Michael -----Ursprüngliche Nachricht----- Von: Povel, Michael Gesendet: Donnerstag, 6. Mai 2004 14:23 An: 'Cédric BLIN'; 'snort-users () lists sourceforge net' Betreff: AW: [Snort-users] Barnyard & SnortAlog Hello all, with a little change on the output plugin of barnyard, I was able to read the cerated output with snortalog. I modified the format to meet a little bit more the format snort uses: --- sik/op_fast.c 2004-05-06 13:14:21.000000000 +0200 +++ op_fast.c 2004-05-06 13:23:48.000000000 +0200 @@ -174,6 +174,14 @@ if(ad->protocol == IPPROTO_TCP || ad->protocol == IPPROTO_UDP) { + fprintf(afd->file, "%s [**] [%d:%d:%d] %s [**] [Classification: %s] [Pr iority: %d] {%s} %s:%d -> %s:%d\n", timestamp, + protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp, + ad->event.sig_generator, ad->event.sig_id, ad->event.sig_rev, + tmp != NULL?tmp->msg:"ALERT", + ct != NULL?ct->name:"Unknown", ad->event.priority, + protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp + ); +/* Orig fprintf(afd->file, "%s {%s} %s:%d -> %s:%d\n" "[**] [%d:%d:%d] %s [**]\n" "[Classification: %s] [Priority: %d]\n", timestamp, @@ -181,9 +189,16 @@ ad->event.sig_generator, ad->event.sig_id, ad->event.sig_rev, tmp != NULL?tmp->msg:"ALERT", ct != NULL?ct->name:"Unknown", ad->event.priority); +*/ } else { + fprintf(afd->file, "%s [**] [%d:%d:%d] %s [**] [Classification: %s] [Pr iority: %d] {%s} %s -> %s\n", timestamp, + ad->event.sig_generator, ad->event.sig_id, ad->event.sig_rev, + tmp != NULL ? tmp->msg : "ALERT", + ct != NULL ? ct->name : "Unknown", ad->event.priority, + protocol_names[ad->protocol], sip, dip ); +/* fprintf(afd->file, "%s {%s} %s -> %s\n" "[**] [%d:%d:%d] %s [**]\n" "[Classification: %s] [Priority: %d]\n", timestamp, @@ -191,12 +206,15 @@ ad->event.sig_generator, ad->event.sig_id, ad->event.sig_rev, tmp != NULL ? tmp->msg : "ALERT", ct != NULL ? ct->name : "Unknown", ad->event.priority); +*/ } PrintXref(ad->event.sig_generator, ad->event.sig_id, afd->file); +/* fprintf(afd->file, "-----------------------------------------------------" "-------------------\n"); +*/ fflush(afd->file); return 0; -----Ursprüngliche Nachricht----- Von: Cédric BLIN [ mailto:cedric.blin () evidian com <mailto:cedric.blin () evidian com> ] Gesendet: Mittwoch, 5. Mai 2004 14:29 An: snort-users () lists sourceforge net Betreff: [Snort-users] Barnyard & SnortAlog Hi all, here is my first post, excuse my english. I want to know if someone use Barnyard & SnortAlog and how I must configure them. I use unified_log and Barnyard extract snort.alert.xxx to fast.alert but SnortAlog is not able to understand this alert file. Regards, Cedric BLIN ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149 <http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click> &alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users <http://www.geocrawler.com/redir-sf.php3?list=snort-users>
Current thread:
- AW: Barnyard & SnortAlog Povel, Michael (May 06)
- <Possible follow-ups>
- AW: Barnyard & SnortAlog Povel, Michael (May 06)