Snort/Banyard2 Logging

[Eric Luellen <eluellen () perimeterusa com>]

Hello,

I need some help with my Snort/Barnyard2 setup. My goal is to have Snort send unified2 logs to Barnyard2 and then have 
Barnyard2 send the data to other locations. Here is my current setup.

OS
- Scientific Linux 6

Snort Version
- 2.9.2.3

Barnyard2 Version
- 2.1.9

Snort command
- snort -c /etc/snort/snort.conf -i eth2 &

Barnyard2 command
- /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo 
&

snort.conf
- output unified2: filename snort.log, limit 128

barnyard2.conf
- output alert_syslog: host=127.0.0.1
- output database: log, mysql, user=snort dbname=snort password=password host=localhost

With this setup, barnyard2 is showing all of the correct information in the database and I'm using BASE to view it on 
the web GUI. I was hoping to be able to send the full packet data to syslog with barnyard2 but after reading 
around<http://serverfault.com/questions/330554/snort-not-logging-full-output-to-syslog>, it seems that it is impossible 
to do that. So I then started trying to modify the snort.conf file and add lines like "output alert_full: alert.full". 
This definitely gave me a lot more information but still not the full packet data like I want. So my question is, is 
there any way I can use barnyard2 to send the full packet data of alerts to a human readable file? Since I can't send 
it directly to syslog, I can create another process to take the data from that file and ship it off to another server. 
If not, what flags and/or snort.conf configuration would you recommend to get the most data possible but still be able 
to handle quite a bit of traffic? In the end of it all, these alerts will be shipped to a central server via a SSH 
tunnel. I'm trying to stay away from databases and would like to get the type of output you get when you add the -v 
flag and log to the console. However I don't want it for all traffic, just the alerts. Thanks in advance for any help.
snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>

Eric Luellen, CISSP, GCED
Level II  Security Analyst
Perimeter E-Security
919.228.2523





--
 The sender of this email subscribes to Perimeter E-Security's email
 anti-virus service. This email has been scanned for malicious code and is
 believed to be virus free. For more information on email security please
 visit: http://www.perimeterusa.com/services/messaging
 This communication is confidential, intended only for the named recipient(s)
 above and may contain trade secrets or other information that is exempt from
 disclosure under applicable law. Any use, dissemination, distribution or
 copying of this communication by anyone other than the named recipient(s) is
 strictly prohibited. If you have received this communication in error, please
 delete the email and immediately notify our Command Center at 203-541-3444.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!