Snort mailing list archives

Re: snort 2.9.6.2 unified2

From: John Hally <JHally () EBSCO COM>
Date: Tue, 23 Sep 2014 09:23:52 +0000

Hi Michael,

Barnyard config:

config reference_file:      /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file:            /etc/snort/etc/gen-msg.map
config sid_file:            /etc/snort/etc/sid-msg.map
config daemon
config logdir: /var/log/snort
config hostname: snort1
config interface:  eth1
config alert_with_interface_name
config waldo_file: /tmp/barnyard2.waldo
config reference_net: 10.0.0.0/8
config archivedir: /var/log/barnyard2/archive
config process_new_records_only
input unified2
output database: log, mysql, user=snort password=###### dbname=######
host=####.####.com



Relavent snort config:

config logdir: /var/log/snort
output unified2: filename snort.log, limit 128, nostamp


Startup of barnyard2:

/usr/local/bin/barnyard2 -u snort -g snort -c
/etc/barnyard2/barnyard2.conf -d /var/log/snort -w
/var/log/barnyard2/barnyard2.waldo

Startup of snort:

/usr/local/bin/snort -D -i eth1 -u snort -g snort -c
/etc/snort/etc/snort.conf


Thanks for the help!

John.


On 9/22/14, 9:40 PM, "Shirkdog" <shirkdog () gmail com> wrote:

Now we need your barnyard config to show that it is reading unified2
format. If your barnyard is 2.1-13 BETA (current git checkout), you
should have this in your conf file

# this is not hard, only unified2 is supported ;)
input unified2

---
Michael Shirk


On Mon, Sep 22, 2014 at 9:18 PM, John Hally <JHally () ebsco com> wrote:

Hi All,

I¹m having an issue that I just cant figure out.

I¹m trying to combine alerts and logs in uniified2 format which I have
the
following in my snort.conf file:

output unified2: filename snort.log, limit 128, nostamp

The issue is when I try to get barnyard2 to process the file.  It seems
that
if I run snort like the following, barnyard2 reports that its waiting
for a
spool file:

/usr/local/bin/snort -D -i eth1 -u snort -g snort -c
/etc/snort/etc/snort.conf

And barnyard2 never finds the snort.log file that is created.


BUT if I run snort this way:

/usr/local/bin/snort -A full -D -i eth1 -u snort -g snort c
/etc/snort/etc/snort.conf

barnyard2 finds the snort.log.##### filename that gets created, but I
think
the file format isnt correct.

Sorry if this is more of a barnyard2 issue than snort

Thanks!

John


-------------------------------------------------------------------------
-----
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer

http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clk
trk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort
news!


--------------------------------------------------------------------------
----
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt
rk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort 2.9.6.2 unified2 John Hally (Sep 22)
- Re: snort 2.9.6.2 unified2 Shirkdog (Sep 22)
  - Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
    - Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
    - Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
    - Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
    - Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
    - Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
    - Re: snort 2.9.6.2 unified2 John Hally (Sep 23)