Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort 2.9.6.2 unified2

From: John Hally <JHally () EBSCO COM>
Date: Tue, 23 Sep 2014 09:41:07 +0000
Thanks Sharif,

That line is there, just a type-o:
config archivedir: /var/log/barnyard2/archive config
process_new_records_only input unified2 output database: log, mysql,
user=snort password=###### dbname=###### host=####.####.com

Should have been:

config archivedir: /var/log/barnyard2/archive config
process_new_records_only
input unified2 
output database: log, mysql, user=snort password=###### dbname=######
host=####.####.com


I’ve also verified that I can connect to mysql from the snort system using
the credentials, view tables, etc.

I can also manually run barnyard2 in batch mode and process individual
files.



Thanks,

John.





On 9/23/14, 5:32 AM, "Sharif Uddin" <Sharif.Uddin () spectrumasa com> wrote:


In barnyard add

output database: log, mysql, user=root password=*** dbname=snorby
host=localhost


make sure mysql is started.


In snort config change the logfile name

output unified2: filename snort.u2, limit 128



start barnyard2 after you have started snort


with

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/tmp/barnyard2.waldo


-----Original Message-----
From: John Hally [mailto:JHally () EBSCO COM]
Sent: 23 September 2014 10:24
To: Shirkdog
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.6.2 unified2

Hi Michael,

Barnyard config:

config reference_file:      /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file:            /etc/snort/etc/gen-msg.map
config sid_file:            /etc/snort/etc/sid-msg.map
config daemon
config logdir: /var/log/snort
config hostname: snort1
config interface:  eth1
config alert_with_interface_name
config waldo_file: /tmp/barnyard2.waldo
config reference_net: 10.0.0.0/8
config archivedir: /var/log/barnyard2/archive config
process_new_records_only input unified2 output database: log, mysql,
user=snort password=###### dbname=###### host=####.####.com



Relavent snort config:

config logdir: /var/log/snort
output unified2: filename snort.log, limit 128, nostamp


Startup of barnyard2:

/usr/local/bin/barnyard2 -u snort -g snort -c
/etc/barnyard2/barnyard2.conf -d /var/log/snort -w
/var/log/barnyard2/barnyard2.waldo

Startup of snort:

/usr/local/bin/snort -D -i eth1 -u snort -g snort -c
/etc/snort/etc/snort.conf


Thanks for the help!

John.


On 9/22/14, 9:40 PM, "Shirkdog" <shirkdog () gmail com> wrote:


Now we need your barnyard config to show that it is reading unified2
format. If your barnyard is 2.1-13 BETA (current git checkout), you
should have this in your conf file

# this is not hard, only unified2 is supported ;) input unified2

---
Michael Shirk


On Mon, Sep 22, 2014 at 9:18 PM, John Hally <JHally () ebsco com> wrote:

Hi All,

I¹m having an issue that I just cant figure out.

I¹m trying to combine alerts and logs in uniified2 format which I
have the  following in my snort.conf file:

output unified2: filename snort.log, limit 128, nostamp

The issue is when I try to get barnyard2 to process the file.  It
seems that  if I run snort like the following, barnyard2 reports that
its waiting for a  spool file:

/usr/local/bin/snort -D -i eth1 -u snort -g snort -c
/etc/snort/etc/snort.conf

And barnyard2 never finds the snort.log file that is created.


BUT if I run snort this way:

/usr/local/bin/snort -A full -D -i eth1 -u snort -g snort ­c
/etc/snort/etc/snort.conf

barnyard2 finds the snort.log.##### filename that gets created, but I
think  the file format isnt correct.

Sorry if this is more of a barnyard2 issue than snort

Thanks!

John


----------------------------------------------------------------------
---
-----
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
Reports  Are you Audit-Ready for PCI DSS 3.0 Compliance? Download
White paper  Comply to PCI DSS 3.0 Requirement 10 and 11.5 with
EventLog Analyzer

http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.
clk
trk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort  news!


-----------------------------------------------------------------------
---
----
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve
PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are
you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply
to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.c
lkt
rk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



--------------------------------------------------------------------------
----
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve
PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you
Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to
PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt
rk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

IMPORTANT - This message and any attached files contain information
intended for the exclusive use of the party or parties to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not an intended recipient, you are hereby notified that any viewing,
copying, disclosure or distribution of this information may be subject to
legal restriction or sanction. Please notify the sender immediately and
delete the original message without making any copies. Copyright in this
email and any attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email
communications. We do not accept any liability for losses or damages that
you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted
by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and
Wales. Registered number: 1979422. Registered office: 95 Aldwych, London
WC2B 4JF.


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: