Snort mailing list archives

Re: Fwd: Re[4]: unified format

From: Igor Belikov <ivb () is ua>
Date: Mon, 22 Aug 2005 17:56:46 +0300

Hello Bamm,

Friday, August 19, 2005, 5:55:01 PM, you wrote:

BV> I wonder if this is a waldo file issue. If you originally ran barnyard
BV> watching the unified alert file, then switched it to watching the
BV> unifed log file that may have caused problems with barnyard.

I'm sure that it's not a waldo file, because I'm removing old logs (and
old waldo file) before every run snort+barnyard.

BV> Try removing $SNORT_LOG/barnyard.waldo and then start barnyard
BV> with the "-f snort.log". When you do this, run barnyard in the
BV> foreground send a copy of the std out back here.

OK. I'm running barnyard with "-R" and without "-R":

without "-R"

 - >8 - - >8 - - >8 - - >8 -

No bookmark file found, processing all events
Opened spool file '/var/log/snort/snort.log.1124719207'
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
SensorID: 1
Next CID: 19058
Waiting for new data
Exiting
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/barnyard/etc/barnyard.conf
  Spool dir:             /var/log/snort
  Gen-msg file:          Not specified
  Sid-msg file:          Not specified
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /var/log/snort/barnyard.waldo
  Pid file:              Not specified
  Verbosity level:       6
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        xxxxx
  Interface:       any
  BPF Filter:      Not specified
  Class file:      /usr/local/snort/etc/classification.config
  Sid-msg file:    /usr/local/snort/etc/sid-msg.map
  Gen-msg file:    /usr/local/snort/etc/gen-msg.map
  Daemon flag:     Not Set
  Localtime flag:  Set
Program Variables:
  Continual processing mode
  Config dir:    /usr/local/barnyard/etc
  Config file:   /usr/local/barnyard/etc/barnyard.conf
  Sid-msg file:  /usr/local/snort/etc/sid-msg.map
  Gen-msg file:  /usr/local/snort/etc/gen-msg.map
  Class file:    /usr/local/snort/etc/classification.config
  Hostname:      xxxxx
  Interface:     any
  BPF Filter:    
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     1
  Spool dir:     /var/log/snort
  Spool file:    snort.log
  Bookmark file: /var/log/snort/barnyard.waldo
  Record Number: 0
  Timet:         0
  Start at end:  0 

 - >8 - - >8 - - >8 - - >8 -

and (after Ctrl+C) with "-R" (with some extra info)

 - >8 - - >8 - - >8 - - >8 -

Starting data processing using information from bookmark file
Output plugins enabled for 'alert' records
-------------------------------------------------------
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
=======================================================
Output plugins enabled for 'log' records
-------------------------------------------------------
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
=======================================================
Output plugins enabled for 'stream_stat' records
-------------------------------------------------------
None configured
=======================================================
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/barnyard/etc/barnyard.conf
  Spool dir:             /var/log/snort
  Gen-msg file:          Not specified
  Sid-msg file:          Not specified
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /var/log/snort/barnyard.waldo
  Pid file:              Not specified
  Verbosity level:       6
  Dry run flag:          Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        xxxxx
  Interface:       any
  BPF Filter:      Not specified
  Class file:      /usr/local/snort/etc/classification.config
  Sid-msg file:    /usr/local/snort/etc/sid-msg.map
  Gen-msg file:    /usr/local/snort/etc/gen-msg.map
  Daemon flag:     Not Set
  Localtime flag:  Set
Program Variables:
  Continual processing mode
  Config dir:    /usr/local/barnyard/etc
  Config file:   /usr/local/barnyard/etc/barnyard.conf
  Sid-msg file:  /usr/local/snort/etc/sid-msg.map
  Gen-msg file:  /usr/local/snort/etc/gen-msg.map
  Class file:    /usr/local/snort/etc/classification.config
  Hostname:      xxxxx
  Interface:     any
  BPF Filter:    
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     1
  Spool dir:     /var/log/snort
  Spool file:    snort.log
  Bookmark file: /var/log/snort/barnyard.waldo
  Record Number: 63
  Timet:         1124719207
  Start at end:  0 

 - >8 - - >8 - - >8 - - >8 -

While barnyard running in process mode (without "-R") alert and log
files grows (so some events have place), but no events was written to
DB.

When I use "-f snort.alert" - I get alert events in DB, but don't get
payload. When I use "-f snort.log" - I don't get alert events in DB.



Ah, this may be the problem. If the rule action is "alert" then the data
presented to the output plugins does not include the payload. There is no
configuration of anything that can get around this, IIRC. You need to be
setting the actions to "log" if you want the payload.



-- 
Best regards,
 Igor                            mailto:ivb () is ua



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

unified format Igor Belikov (Aug 18)
- <Possible follow-ups>
- Re: unified format Roland Turner (SourceForge) (Aug 19)
  - Re[2]: unified format Igor Belikov (Aug 19)
- Re: Re[2]: unified format Roland Turner (SourceForge) (Aug 19)
  - Re[4]: unified format Igor Belikov (Aug 19)
- Re: Re[4]: unified format Roland Turner (SourceForge) (Aug 19)
  - Message not available
    - Fwd: Re[4]: unified format Bamm Visscher (Aug 19)
    - Re: Fwd: Re[4]: unified format Igor Belikov (Aug 22)