Snort mailing list archives
Snort - Barnyard - Waldo Files
From: Wes Young <wcyoung () buffalo edu>
Date: Tue, 28 Dec 2004 09:49:05 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all, I know most of you are on vacation, but for the geeks that never take a break.... I am writing a script that takes a log_dump file from barnyard, creates a snortalog report and posts it to a website... Everything works well except if the logfile specified in the waldo file (barnyard) is moved to the archive directory when barnyard is momentarily stopped... when barnyard is restarted, it's stuck on the old log and just sits there... the script looks something like: <SNIP> /etc/init.d/barnyard stop mv /data/logs/si1/snort_log.log /opt/snortalog /etc/init.d/barnyard start # Change this later to check and see if the rules have been updated # Less overhead, implement a check file or something.... cat /data/rules/si1/*.rules | /opt/snortalog/snortalog.pl -genref rules /opt/snortalog/snortalog.pl -c -r -w -file /opt/snortalog/snort_log.log - -h index.html -u /var/www/html/snortalog/ -src -src_attack -src_dst_attack rm /opt/snortalog/snort_log.log </SNIP> All the configs (including the waldo file are specified in the barnyard startup script... I know there are ways to filter out certain timeframes for snortalog, but for simplicity, I want to just generate stats for the last hour, hense the Barnyard-STOP, move log file, start barnyard (to create new blank dump_log). Only problem is, if for (whatever reason), the [unified] logfile is archived between the stop and start, the waldo file is incorrect and barnyard stops processing... Should I just run a check to see if the file specified in teh waldo exists, if so, start, if not, remove the waldo file and start [from scratch]..? or is there a better way to do it...? Right now I have the unified log's maxsize at 128meg and barnyard is doing the archiving... When this happens, its no where near 128meg, so it can't be snort that is cutting off the file, it's got to be barnyard, but I can't figure out why (when barnyard stops and archives the log) it doesn't update the waldo file...... Anyone else seen this?? TIA - -- Wes Young Network Security Analyst University at Buffalo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFB0XJgzLe0Tk6uDXYRAj6QAJ47ltae9WtYpNkMWcd91osu7ysRgwCgp1nn rpWkbb5LiCw+KU5Vu40KWTE= =98sR -----END PGP SIGNATURE----- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort - Barnyard - Waldo Files Wes Young (Dec 28)