Snort mailing list archives
Snort/Banyard2 Logging
From: Eric Luellen <eluellen () perimeterusa com>
Date: Fri, 13 Jul 2012 20:33:53 +0000
Hello, I need some help with my Snort/Barnyard2 setup. My goal is to have Snort send unified2 logs to Barnyard2 and then have Barnyard2 send the data to other locations. Here is my current setup. OS - Scientific Linux 6 Snort Version - 2.9.2.3 Barnyard2 Version - 2.1.9 Snort command - snort -c /etc/snort/snort.conf -i eth2 & Barnyard2 command - /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo & snort.conf - output unified2: filename snort.log, limit 128 barnyard2.conf - output alert_syslog: host=127.0.0.1 - output database: log, mysql, user=snort dbname=snort password=password host=localhost With this setup, barnyard2 is showing all of the correct information in the database and I'm using BASE to view it on the web GUI. I was hoping to be able to send the full packet data to syslog with barnyard2 but after reading around<http://serverfault.com/questions/330554/snort-not-logging-full-output-to-syslog>, it seems that it is impossible to do that. So I then started trying to modify the snort.conf file and add lines like "output alert_full: alert.full". This definitely gave me a lot more information but still not the full packet data like I want. So my question is, is there any way I can use barnyard2 to send the full packet data of alerts to a human readable file? Since I can't send it directly to syslog, I can create another process to take the data from that file and ship it off to another server. If not, what flags and/or snort.conf configuration would you recommend to get the most data possible but still be able to handle quite a bit of traffic? In the end of it all, these alerts will be shipped to a central server via a SSH tunnel. I'm trying to stay away from databases and would like to get the type of output you get when you add the -v flag and log to the console. However I don't want it for all traffic, just the alerts. Thanks in advance for any help. snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Eric Luellen, CISSP, GCED Level II Security Analyst Perimeter E-Security 919.228.2523 -- The sender of this email subscribes to Perimeter E-Security's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/services/messaging This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort/Banyard2 Logging Eric Luellen (Jul 13)
- Re: Snort/Banyard2 Logging beenph (Jul 13)
- Re: Snort/Banyard2 Logging Eric Luellen (Jul 17)
- Re: Snort/Banyard2 Logging beenph (Jul 17)
- Re: Snort/Banyard2 Logging Eric Luellen (Jul 17)
- Re: Snort/Banyard2 Logging beenph (Jul 13)