Snort mailing list archives
RE: No detail or contents in acid and barnyard
From: "Nelson, Ben" <bnelson () rightnow com>
Date: Thu, 5 Jun 2003 09:44:11 -0600
Check out mudpit : http://www.fidelissec.com/mudpit.html This is what I ended up using on my remote sensors to log alert details AND data to a remote database. It's been working pretty solidly for about a week now. I'm still very much in the testing phase, but so far it's been great. --Ben -----Original Message----- From: Russell Fulton [mailto:r.fulton () auckland ac nz] Sent: Wednesday, June 04, 2003 10:52 PM To: snort-users () lists sourceforge net Subject: [Snort-users] No detail or contents in acid and barnyard Greetings All, I am running snort 2.0 with the unified output plugin (see appended config file) and using barnyard (see command line and conf file appended). Data is being logged to the database and displayed by acid but I get no details (i.e. no IP header fields except addresses nor tcp fields except port numbers) and no packet contents. I have tried various strategies with running barnyard to handle both the alert and log file: * -d log_dir -f snort.alert -f snort.log and both outputs enabled in the conf file. This does not produce any errors. * two processors one for the log and one for the alert, log process always seems to exit (no errors printed). Clearly I am missing something can someone please take the time to look the configs and try and spot the problem. [ I have searched the archive and found several references to this problem but no real solutions when I get this fixed I'll write an answer for the FAQ!] Thanks! Russell -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand. snort command line snort -c unified.rules -D -g snort -i xl0 -l /home/snort/LOGS/DMZ-O/barnyard/ -m 2 -o -U -u snort -X snort.conf... var HOME_NET [xxxxx] var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12\.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /home/snort/Rules/current preprocessor frag2 preprocessor stream4 : disable_evasion_alerts, ttl_limit 5 preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_sla\sh full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode output alert_unified: filename snort.alert, limit 50 output log_unified: filename snort.log, limit 50 include $RULE_PATH/classification.config include $RULE_PATH/reference.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules ....... ---------------------------------------------------------------------- Barnyard command line: barnyard -c config/barnyard.alert -d LOGS/DMZ-O/barnyard/ -f snort.alert -f snort.log Barnyard.conf config hostname:xxxx config interface: xl0 config filter: not port 22 processor dp_alert processor dp_log processor dp_stream_stat output alert_acid_db: mysql, sensor_id 1, database snort, server xxxxx.auckland.ac.nz, user snort, password xxxxx output log_acid_db: mysql, sensor_id 1, database snort, server xxxxx.auckland.ac.nz, user snort, password xxxxx ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No detail or contents in acid and barnyard Russell Fulton (Jun 04)
- Re: No detail or contents in acid and barnyard Bamm Visscher (Jun 05)
- <Possible follow-ups>
- RE: No detail or contents in acid and barnyard Nelson, Ben (Jun 05)