Re: Snort + barnyard2 + BASE

["Shenk, Jerry A" <jshenk () decommunications com>]

Oh, ok....how many times can a guy (me) read something and still have it
wrong!  Things are working like a charm now!!  Thanks for helping me
out.

-----Original Message-----
From: firnsy [mailto:firnsy () securixlive com] 
Sent: Sunday, October 25, 2009 4:23 PM
To: Shenk, Jerry A
Cc: snort-users () lists sourceforge net; dev () securixlive com
Subject: Re: [Snort-users] Snort + barnyard2 + BASE

Shenk, Jerry A wrote:
> Well, that certainly clears up a question that I had about the two
> entries but it's not fixing things.  Basically, the only difference is
> the extentions of .log and .u2 - I changed them this morning.

No, there's more of a difference than just the file name.

> Here's my output line from my snort.conf:
> output log_unified2: filename snort.u2, limit 128

Here's a summary of my previous post for clarity.

Use:

output unified2: filename snort.u2, limit 128

_Not:_

output log_unified2: filename snort.u2, limit 128

> The snort.u2.xxx files are being created in the /var/log/snort
> directory.  There is also the plaintext alert file.  Both those files
> are being updated.
>
> And my input line in barnyard2.conf is:
> input unified2
>
> I'm starting barnyard2 with:
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
/var/log/snort
> -f snort.u2 -w /etc/snort/barnyard.waldo
>
> When I restart snort, it creates a new snort.u2.xxxx file.
>
> I've tried additional outputs like just the syslog output:
> Output alert_syslog:
>
> Nothing I've done has gotten any output from barnyard2.

Again you're trying to use _alert_ plugins and only providing _log_ 
information in.

> -----Original Message-----
> From: firnsy [mailto:firnsy () securixlive com] 
> Sent: Sunday, October 25, 2009 12:31 AM
> To: Shenk, Jerry A
> Cc: snort-users () lists sourceforge net; dev () securixlive com
> Subject: Re: [Snort-users] Snort + barnyard2 + BASE
>
> Shenk, Jerry A wrote:
> > Thanks for looking...I'm not sure what the deal is here...spent most
> of
> > the day on this...switching between versions of barnyard, trying to
> > track down what I can.  I'm getting data in the
> > /var/log/snort/snort.log.xxxx files.  Barnyard2 seems to be reading
> > those files and with the new version, it's summarizing the hits (ETH,
> > IPV4, TCP, UDP, etc.).  But, I'm not getting any output from
> > barnyard...I've primarily tried the syslog and database (mysql)
> options.
>
> Light bulb! If you have /var/log/snort/snort.log.XXXX files I'm
assuming
> you're using an output directive in your snort configuration along the

> lines of:
>
> output log_unified2: ...
>
> If this is the case then you are outputting packet information only to

> the log file and no alert information. On top of that you're trying to

> source the alert information to send to the database, which is non
> existent.
>
> The directives "alert_unified2" and "log_unified2" are legacies of the

> original unified setup, that required barnyard-0.2.0 to read.
>
> In the old set up you had alert file(s) which store snort events only 
> (ie no packet information) and log file(s) which store the offending 
> packets only (ie no snort alert information). It was then necessary
for 
> barnyard-0.2.0 (the original) to process both of these files to 
> appropriately output information.
>
> When unified2 came along the idea was have _both_ alert and log 
> information in the one file as well as have the flexibility to add
other
> information such as portscan, or statistic type records.
>
> It was deemed necessary to also provide legacy support for the old set

> up and that is to allow unified2 information to be explicitly
outputted 
> into a dedicated alert and log file.
>
> However barnyard2 is designed to work with the true unified2 file
where 
> both alert and log data coexist in the same file. To instantiate this 
> file the snort configuration output directive should look like the 
> following:
>
> output unified2: filename snort.u2, limit 128
>
> Note the absence of the legacy "alert_" and "log_" prefixes. This
seems 
> to be the biggest stumbling block of people moving from unified (v1)
to 
> unified2 setups. Perhaps it should go in my faq ... hang about it's 
> already there ;)
>
> Hopefully this fixes your issue, but I'll still look to see if it's 
> something in the code.
>
> Regards,

Regards,

-- 
firnsy
www.securixlive.com

**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users