Re: Re[4]: unified format

["Roland Turner (SourceForge)" <raz.fs.arg () countersnipe com>]

Igor Belikov said:


> - >8 - - >8 - - >8 -  part of snort.conf  - >8 - - >8 - - >8 -
>
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128


You only need the latter.


> startproc $SNORT_BIN -d -D -i any -l $SNORT_LOG -c $SNORT_CONF
>
> startproc $BARNYARD_BIN -D -c $BARNYARD_CONF -d $SNORT_LOG -f
> snort.alert -w $SNORT_LOG/barnyard.waldo


Looks reasonable, except that you want snort.log, not snort.alert.


> When I use "-f snort.alert" - I get alert events in DB, but don't get
> payload. When I use "-f snort.log" - I don't get alert events in DB.


Ah, this may be the problem. If the rule action is "alert" then the data
presented to the output plugins does not include the payload. There is no
configuration of anything that can get around this, IIRC. You need to be
setting the actions to "log" if you want the payload.

- Raz




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users