Re: Snort output plugins using Barnyard.

[fatema bannatwala <fatema.bannatwala () gmail com>]

Currently, we are using 2.9.7.5 version of snort.
I checked the snort.org website and it says the latest release is 2.9.8.3,
that means we are one version behind.
I will check to see if we can upgrade to 2.9.8.3 in production.
Meanwhile, any suggestions on the issue for the current version that we are
running?

Thanks,
Fatema.

On Tue, Sep 20, 2016 at 3:23 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:

> Any reason why you didn’t move directly to the most updated version of
> Snort, first of all?  Since all but, 2.9.7.6 is EOL?
>
> --
> *Joel Esler*
> Manager
> Talos Group
> http://www.talosintelligence.com
>
>
> On Sep 20, 2016, at 2:55 PM, fatema bannatwala <
> fatema.bannatwala () gmail com> wrote:
>
> Hi,
>
> We have snort 2.9.7 up and running, with unified2 format output setup in
> snort.conf.
> We also have barnyard2 configured to log the snort unified2 output in
> different formats.
> We have two output plugins enabled in barnyard, one is to syslog to local1
> facility  (output alert_syslog: LOG_INFO LOG_LOCAL1) and another one to log
> the alerts into a postgres DB (output database: log, postgresql,
> user=db_user password=some_password dbname=snorby host=host123.somedomain).
>
> Recently we ran into an issue where snort stopped sending the syslog
> messages to local facility, when the other barnyard plugin ,i.e, database
> connection failed.
> Hence my question is, does snort stop processing other output plugins as
> well, if any one of them fails in barnyard?
> or is there any way to make sure the other output plugins still get
> processed if one of them fails?
>
> Also, the order of the output plugins definition in barnyard2.conf is,
> first the syslog output is defined and at the end of the file database
> output plugin is defined.
> Hence I was thinking that snort should have processed the syslog plugin
> and have sent the syslogs to local1, before processing the database plugin
> and finding out that it is not able to connect to the database.
>
> Any suggestion/comment appreciated.
>
> Thanks,
> Fatema.
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!