Snort mailing list archives
RE: ACID not displaying data from Barnyard
From: francisv () dagupan com
Date: Sat, 9 Aug 2003 08:29:35 +0800
I found the reason -- barnyard did not insert the sensor information in the sensor table and most probably ACID was looking for it. I manually added it and now it works. However, I'm stumped with yet another problem -- I don't see any payload information (from ACID) when I display TCP or UDP entries. The data table contains information but how come ACID doesn't display it? -----Original Message----- From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov] Sent: Saturday, August 09, 2003 12:46 AM To: 'Francis A. Vidal' Subject: RE: [Snort-users] ACID not displaying data from Barnyard i believe that you should be using output log_unified only in snort.conf use rulesets - ruletypes for log_tcpdump -----Original Message----- From: Francis A. Vidal [mailto:francisv-sender-58ad63 () irc dagupan com] Sent: Thursday, August 07, 2003 8:29 PM To: snort-users () lists sourceforge net Subject: [Snort-users] ACID not displaying data from Barnyard Hi all, I have Snort 2.0.1 running with Barnyard 0.1.0 logging it to a MySQL (3.23.51) DB. I can confirm that Barnyard is successfully logging data by inspecting the event table: mysql> select count(*) from event; +----------+ | count(*) | +----------+ | 8691 | +----------+ 1 row in set (0.01 sec) However, when I open up ACID (I have to versions running parallel, v0.9.6b24 and v0.9.6b23), I couldn't see anything! Here's a sample data from the event table: sid cid signature timestamp 1 1 3 2003-08-08 00:22:00 1 2 3 2003-08-08 00:22:01 1 3 3 2003-08-08 00:22:22 I'm running Snort and Barnyard using these command lines: snort -dDo -i xl0 -l /var/log/snort -c /usr/local/etc/snort.conf barnyard -D -c /usr/local/etc/barnyard.conf \ -s /usr/local/share/snort/sid-msg.map \ -g /usr/local/share/snort/gen-msg.map \ -w /usr/local/var/barnyard/checkpoint \ -d /var/log/snort \ -f snort.log Snort is logging using these output plugins: output log_tcpdump: tcpdump.log output alert_unified: filename snort.alert, limit 50 output log_unified: filename snort.log, limit 50 Barnyard is configured to write to the MySQL DB using this: output log_acid_db: mysql, sensor_id 1, database dbname, server localhost, user dbuser, password dbpasswd, detail full The files inside /var/log/snort: alert scan.log snort.alert.1060302116 snort.log.1060302116 tcpdump.log.1060302116 --- francis a. vidal [bitstop network services] | http://www.bnshosting.net streaming media + web hosting | http://www.bitstop.ph v(02)330-2871,(02)330-2872; f(02)330-2873 | http://www.kuro.ph ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID not displaying data from Barnyard Francis A. Vidal (Aug 07)
- <Possible follow-ups>
- ACID not displaying data from Barnyard Francis A. Vidal (Aug 08)
- RE: ACID not displaying data from Barnyard francisv (Aug 11)