Re: Barnyard2 + Snort

[Fábio Ferrão <ferrao04 () gmail com>]

Guys,
Barnyard is OK now! Thank you very much!

The problem was that -d parameter was /var/spool/barnyard2 and the -f
parameter was /usr/local/snort/snort.u2. Can't differents paths!!!
But, really not necessary put the full path in -f parameter. The barnyard2
look for the path of -d parameter.

Thanks!!!

2010/3/25 <snort () leeclemens net>

> I believe -f uses the prefix, not the full directory path supplied after
> -d.  If using continous mode, you should configure waldo file, or use -w as
> well.
>
> -----Original Message-----
> From:  Fábio Ferrão <ferrao04 () gmail com>
> Date:  Thu Mar 25, 2010 14:50
>
> Dears,
>
> My barnyard2 is initialize with success, but the alerts arent registering
> in BASE.
> The snort.conf is:
>
>
> # output database: log, mysql, user=snort password=test dbname=snort
> host=xx.xx.xx.xx sensor_name=test_server
>  # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, odbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
>  # output database: log, oracle, dbname=snort user=snort password=test
>
> output alert_unified: filename snort_uni.alert, limit 128
> output log_unified: filename snort_uni.log, limit 128
>  output unified2: filename snort.unified2, limit 128
>
>
> The snort initialization is:
>
>
> /etc/rc.conf
> snort_enable="YES"
> snort_flags="-D -q"
>  snort_interface="bge1"
> snort_conf="/usr/local/snort/snort.conf"
> snort_group="snortgrp"
>
>
>
>
>
> The barnyard2.conf is:
>
>
> config reference-map:   /usr/local/snort/reference.config
> config class-map:          /usr/local/snort/classification.config
> config gen-msg-map:     /usr/local/snort/gen-msg.map
>  config sid-msg-map:         /usr/local/snort/sid-msg.map
>
> config hostname:        teste_server
> config interface:       bge1
>
>
>
> # Step 2: setup the input plugins
>  input unified2
>
> output database: log, mysql, user=snort password=test dbname=snort
> host=xx.xx.xx.xx sensor_name=test_server
> output database: alert, mysql, user=snort password=suporte dbname=snort
> host=xx.xx.xx.xx sensor_name=teste_server
>
>
>
> The barnyard2 initialization is:
>
>
> ####BARNYARD2####
> barnyard2_enable="YES"
> barnyard2_flags="-D -q -d /var/spool/barnyard2 -f
> /var/log/snort/snort.unified2"
>  barnyard2_conf="/usr/local/etc/barnyard2.conf"
>
>
>
>
>
> Im trying, but barnyard isnt success yet.
>
>
> Can somebody help me?
>
>
> Thanks.
>
> --
> Fábio Ferrão
>
> "E conhecereis a verdade e a verdade vos libertará".    João 8.32
> "And you will know the truth and the truth you will free".    John 8.32


-- 
Fábio Ferrão

"E conhecereis a verdade e a verdade vos libertará".    João 8.32
"And you will know the truth and the truth you will free".    John 8.32

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users