Re: Load alerts read from file to database

[Tural Aghazada <agazade.tural () gmail com>]

Hello,

Please remove me from the email listing. It's filling up my mailbox too
much and too fast.

Thanks

Best Regards,

Tural




















Tural Aghazada   CEO
Aghazada MMC
m: +994558715919 a: Baku,Azerbaijan
s: www.aghazada.info e: tural () aghazada info
<https://twitter.com/aghazada_tural>
<https://www.linkedin.com/in/tural-aghazada-02443736>



On Tue, Feb 7, 2017 at 7:31 AM, Paul Li <paul () scybersecurity com> wrote:

> Hi Al,
>
> Just read again barnyard2 configuration file's comments: look like
> barnyard2 supports only u2 files. The issue on my side looks like that no
> u2 files were generated but only log files were generated. I reinstalled
> barnyard2. Now both u2 and log files were generated.
>
> Thanks again!
>
> Paul
>
> On Mon, Feb 6, 2017 at 6:28 PM, Paul Li <paul () scybersecurity com> wrote:
>
> > Thanks Al for the hints. Much appreciated.  After Snort read a file, all
> > the alerts are in a snort.log.xxxxx file. I tried to set up barnyard2 read
> > snort.log as the base from the command line as the following:
> >
> > sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
> > snort.log -w /var/log/snort/barnyard2.waldo -g snort-user -u snort-pass
> >
> > But looks like barnyard2 is still reading the snort.u2 base file. here's
> > c&p the messages from the console:
> >
> > ------console output-----
> >
> > Using waldo file '/var/log/snort/barnyard2.waldo':
> >
> >     spool directory = /var/log/snort
> >
> >     spool filebase  = snort.u2
> >
> >     time_stamp      = 1486185613
> >
> >     record_idx      = 0
> >
> > Opened spool file '/var/log/snort/snort.u2.1486185613'
> >
> > ....
> >
> > ------console output end-----
> >
> > Tried to edit barnyard2.waldo, but looks like it's a binary file. Is
> > there a way to make barnyard2 read snort.log.xxxxx instead of
> > snort.u2.xxxxx?
> >
> >
> > Thanks,
> >
> > Paul
> >
> >
> >
> > On Sat, Feb 4, 2017 at 6:10 PM, Al Lewis (allewi) <allewi () cisco com>
> > wrote:
> >
> > > Are the alert files in unified2 format?
> > >
> > > You may want to look here for some more info on barnyard.
> > >
> > > https://github.com/firnsy/barnyard2
> > >
> > >
> > > https://github.com/firnsy/barnyard2/tree/master/doc
> > >
> > >
> > >
> > > *Albert Lewis*
> > >
> > > ENGINEER.SOFTWARE ENGINEERING
> > >
> > > SOURCE*fire*, Inc. now part of *Cisco*
> > >
> > > Email: allewi () cisco com
> > >
> > > From: Paul Li <paul () scybersecurity com>
> > > Date: Saturday, February 4, 2017 at 1:05 AM
> > > To: 'snort-users' <snort-users () lists sourceforge net>
> > > Subject: [Snort-users] Load alerts read from file to database
> > >
> > > I'm using Snort to read a file and Snort generates alerts. But when
> > > tried using Barnyard2 load these alerts to database, no alerts were loaded.
> > > Is there any configuration I should change to make it work, or Barnyard2
> > > doesn't support loading alerts from files?
> > >
> > > (When Snort generates alerts from monitoring a networking interface,
> > > Barnyard successfully loaded alerts to the database.)
> > >
> > > Thanks,
> > > Paul
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!