Snort mailing list archives
RE: barnyard, alerts, logs and acid
From: "Chris Eidem" <ceidem () Dexma com>
Date: Fri, 2 Aug 2002 10:57:29 -0500
-*> Snort! <*- Version 1.8.7 (Build 128) -*> Barnyard! <*- Version 0.1.0-rc2 (Build 11) acid-0.9.6b22 from cvs (yesterday)
so far so good.
Acid isn't showing any alerts picked up and inserted by barnyard. I have that version of snort using: output alert_unified: filename snort.unified.alert, limit 64 output log_unified: filename snort.unified.log, limit 64 barnyard.conf has: config hostname: myhost.localnet config interface: eth0 processor dp_alert processor dp_log output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password mypass, detail full output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password mypass, detail full
you don't really need both. it is my understanding that log_acid_db contains all the infor that alert_acid_db has.
Now, the command-line: barnyard -c /etc/snort/barnyard.conf -d /var/log/snort/barnyard/ -s /etc/snort/sid-msg.map -f snort.unified.alert Which bunch of files should be processed first? alert or log? Should there be two instances of barnyard? Doesn't log include alert? What happened is that barnyard inserted lots of data into acid, but acid wouldn't show it. The main page showed some percentages regarding tcp, udp and icmp, but it didn't actually had any alerts. All searches and queries would end up with zero alerts in the database.
it looks like your messages are there but they don't have a sensor id in the database records. do a "SELECT * FROM sensor;" and see if you have any records. if you don't, do a "insert into sensor values('1','test','doodle doodle dee','NULL',1,0);" that should do it. hope that helps, - chris ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- barnyard, alerts, logs and acid Andreas Hasenack (Aug 02)
- <Possible follow-ups>
- RE: barnyard, alerts, logs and acid Chris Eidem (Aug 02)
- Re: barnyard, alerts, logs and acid Andreas Hasenack (Aug 02)
- RE: barnyard, alerts, logs and acid snort-users (Aug 05)