Snort mailing list archives
Re: Barnyard woes
From: Ken Gunderson <kgunders () teamcool net>
Date: Tue, 18 Feb 2003 09:16:00 -0700
On Tuesday 18 February 2003 08:15 am, Joerg Weber wrote:
Hallo everyone, I've had barnyard running on my test-system, but didn't like the way I had things up so I decided to do a clean, neat config. Big mistake :) Here's my problem: 1) I'd like to use SnortCenter to maintain my sensors. SnortCenter adds the unified_plugin like this: output log_unified: filename snort-unified, limit 500 but no alert_unified: Should I add this by hand via a preprocessor?
preprocessor??? unified is an output plugin...;-) i have only been experimenting with barnyard, but follows is my understanding thus far: if you want to be logging alerts.... but i don't think you can point it to the same file as the log because barnyard can only take one input per instance in it's present incarnation. hence you need to point output to second file and run two instances of barnyard.
2) Snort's running fine and happily logging into /var/log/snort/snort-unified. Now I'm setting up my barnyard.conf like config hostname: Inhouse config interface: eth1 processor dp_alert processor dp_log processor dp_stream_stat output log_acid_db: mysql, sensor_id 7, database snort, server [ip], user [user], password [root]
this will log "logs" to database. you also need alert_acid_db if you want to log alerts to db as well, but then since snort unified will log "log" events to both snort-unified.log and snort-unified.alert, you will get two inserts into your db per log event. if you only use alert_acid_db, you miss logging the payload. if you only use log_acid_db, then you miss logging alerts. (while barnyard can only take one input per instance, i think one instance of barnyard is apable of logging events to >1 output). so you're back to 2 instances, logging "log" events to db and "alert" events to file (or vice versa and not having paylod data logged to db).
Now I'm starting barnyard like barnyard -c /root/barnyard-0.1.0-beta5/etc/barnyard.conf -f /var/log/snort/snort-unified -w /var/log/snort/waldo And the result looks like Skipping tagged packet 1389 Skipping tagged packet 1392 Skipping tagged packet 1394 Skipping tagged packet 1396 Skipping tagged packet 1398 [and on and on and on...] What's up with that?
what does mysql give you when you SELECT * ON sensor? does it jive with what your barnyard config has? the first thing i would suggest when troubleshooting something like this would be to upgrade to the latest stable release.
3) Same happens when I try to run barnyard with the -f /var/log/snort/scan.log 4) The reason I'm running into this is my dislike of running two instances of barnyard, one for log, one for alert. Isn't there a more clever way to do things?
afaik; this is the only way you can do it because of barnyard's limitation to one input source per instance. hope this helped some. -- Best regards, Ken Gunderson PGP Key-- 9F5179FD "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard woes Joerg Weber (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 18)
- Re: Barnyard woes Paul Schmehl (Feb 18)
- Re: Barnyard woes Andrew R. Baker (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Re: Barnyard woes Andrew R. Baker (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Help! Very wierd traffic. Yonah Russ (Feb 19)
- Re: Help! Very wierd traffic. Matt Kettler (Feb 19)
- Re: Help! Very wierd traffic. Yonah Russ (Feb 19)
- Re: Help! Very wierd traffic. Frank Knobbe (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 18)