Snort mailing list archives
Re: Barnyard woes
From: Ken Gunderson <kgunders () teamcool net>
Date: Wed, 19 Feb 2003 10:03:59 -0700
On Wednesday 19 February 2003 07:58 am, Andrew R. Baker wrote:
Ken Gunderson wrote:On Tuesday 18 February 2003 08:16 pm, Andrew R. Baker wrote:Joerg Weber wrote: > Here's my problem: > 1) I'd like to use SnortCenter to maintain my sensors. > SnortCenter adds the unified_plugin like this: > output log_unified: filename snort-unified, limit 500 > but no alert_unified: > Should I add this by hand via a preprocessor? If you are only using the database output, you do not need to the unified alert file. All of the alert data should be in the unified log file.[snip] so one would specify both "log_acid_db" AND "alert_acid_db" in barnyard.conf and then get both alerts and logs going to db, correct? [snip]No, you just need log_acid_db. This will get alerts w/ packet logs into the database. The confusing part is that, with several output plugins, log means alert w/ packet. Unfortunately, it is a little late in Snort's lifetime to try to clarify this. -A
no wonder i was confused;-) but this does not appear to be consistent with what i am seeing. my snort.conf specifies: output alert_unified: filename snort_fxp1.alert, limit 500 output log_unified: filename snort_fxp1.log, limit 500 presently i have two instances of BY running, and after processing by BY, i am getting: cooper# grep -i portscan2 log_dump_fxp1 | wc -l 0 cooper# grep -i portscan2 alert_fast_fxp1 | wc -l 78 this would indicate that all alert data does not make it to log_unified?? thus one still needs to parse alert_unified logs through some other means such as syslog, alert_fast, etc.?? -- Best regards, Ken Gunderson PGP Key-- 9F5179FD "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard woes Joerg Weber (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 18)
- Re: Barnyard woes Paul Schmehl (Feb 18)
- Re: Barnyard woes Andrew R. Baker (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Re: Barnyard woes Andrew R. Baker (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Help! Very wierd traffic. Yonah Russ (Feb 19)
- Re: Help! Very wierd traffic. Matt Kettler (Feb 19)
- Re: Help! Very wierd traffic. Yonah Russ (Feb 19)
- Re: Help! Very wierd traffic. Frank Knobbe (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 18)