Re: data base

[Abid Ayoub <abid.ayoub () gmail com>]

Hi

Thanks a lot , this is clear now.

So , barnyard2 will save in the data base only the alert ? can i make a
configuration to tell barnyard to save all the traffic ?

Thanks
Abid


2013/7/26 waldo kitty <wkitty42 () windstream net>

> On 7/26/2013 05:05, Abid Ayoub wrote:
> > Hi,
> >
> >
> > Thank you for the answer.
> > ok , so i should run barnyard2 then run snort. In this case, branyard2
> will
> > detect the new generated file by snort and put the data into snort data
> base. is
> > this right ?
>
> yes... you should be able to execute them in either order... i don't
> believe
> that is critical...
>
> > you mention "unified2 log file" , is this the gnerated file by snort ?
> for
> > examlpe snort.log.1374827257 ?
>
> the name depends on your configuration... by default (and with -A full -b)
> snort
> creates a text file of all the alerts named alert and it creates a new
> snort.log.xxxxxxxxxx for each session... these snort.log.xxxxxxxxxx files
> are
> actually pcaps of the data that caused snort to raise the alerts...
>
> > So when i run  the following command :
> > /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d
> > /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
>
> previously and now, when i see the "-f snort.u2" portion, i'm guessing
> that that
> indicates which base file name BY2 is to read and process...
>
> > snort.u2 is the genrated file, read by barnyard2 from te directrory
> /var/log/snort ?
> > should i mention other options in barnyard2 command ?
>
> if my guess above is accurate, you have at least this in your snort
> config...
>
>    output unified2: filename snort.u2
>
> you may have additional parameters enhancing it... this results in files
> named
> snort.u2.xxxxxxxxxx in your snort log directory... those are the unified2
> log
> files... one for each session that snort is executed...
>
> FWIW: snort.u2 is the base file name and the .xxxxxxxxxx (10 digits) are
> the
> unix timestamp of when the file was created ;)
>
> > Thanks a lot
> > Abid
> >
> >
> > 2013/7/24 waldo kitty <wkitty42 () windstream net <mailto:
> wkitty42 () windstream net>>
> >     On 7/24/2013 05:45, Abid Ayoub wrote:
> >      > Hello,
> >      > i want to save the sniff result in a data base.
> >      > So , how can i do that when i have a lot of traffic?
> >      > Soll i use barnyard2 , i didn´t understand why should i use it
> and what for ?
> >     barnyard2 reads the snort unified2 log file and puts the data into
> the database
> >     for you... barnyard2 handles all the database communication...
> before, when
> >     snort tried to do it, snort could get hung up waiting on the
> database to
> >     respond... during that period, traffic would be lost to snort and it
> could not
> >     analyze it... since the alerts and evidence are written to the
> unified2 log,
> >     barnyard2 can put it in the database when possible... if the
> database is down
> >     for some reason, barnyard2 will wait for the database to come back
> and then
> >     continue to put the data in... all this time, snort is still
> analyzing the
> >     traffic and no data is lost...
> >
> >     does that answer your questions?
>
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!