Snort mailing list archives
AW: acid - barnyard - payload
From: Jochen Vogel <jvogel () it-sec de>
Date: Mon, 13 Oct 2003 10:02:17 +0200
how can i show the payload in acid if i use barnyard?
-----Ursprüngliche Nachricht----- Von: Jochen Vogel [mailto:jvogel () it-sec de] Gesendet: Donnerstag, 9. Oktober 2003 13:27 An: 'snort-users () lists sourceforge net' Betreff: AW: [Snort-users] acid - barnyard - payload ok another try, i created 2 barnyard scipts: -barnalert for the alerts -barnlog vor the logs both sensors are registered +-----+----------+-----------+--------+--------+----------+----------+ | sid | hostname | interface | filter | detail | encoding | last_cid | +-----+----------+-----------+--------+--------+----------+----------+ | 3 | alert | x | x | 0 | 0 | 0 | | 4 | log | x | x | 1 | 0 | 0 | +-----+----------+-----------+--------+--------+----------+----------+ for both sensors events exists +-----+-----+-----------+---------------------+ | sid | cid | signature | timestamp | +-----+-----+-----------+---------------------+ | 3 | 972 | 5 | 2003-10-09 13:17:24 | | 4 | 972 | 5 | 2003-10-09 13:17:24 | | 3 | 971 | 5 | 2003-10-09 13:17:22 | | 4 | 971 | 5 | 2003-10-09 13:17:22 | | 3 | 970 | 5 | 2003-10-09 13:17:21 | | 4 | 970 | 5 | 2003-10-09 13:17:21 | | 3 | 969 | 13 | 2003-10-09 13:17:20 | | 3 | 968 | 5 | 2003-10-09 13:17:20 | | 4 | 969 | 13 | 2003-10-09 13:17:20 | | 4 | 968 | 5 | 2003-10-09 13:17:20 | +-----+-----+-----------+---------------------+ acid shows only sid3 alert. whats the problem? thx for help jo-----Ursprüngliche Nachricht----- Von: Jochen Vogel [mailto:jvogel () it-sec de] Gesendet: Mittwoch, 8. Oktober 2003 14:37 An: 'snort-users () lists sourceforge net' Betreff: AW: [Snort-users] acid - barnyard - payload hi, i recreated the snortDB. barnlog didn´t read the sid and create the sid2. this is my barnyard.conf #config localtime config hostname: sensor2 config interface: x config filter: x processor dp_alert processor dp_log processor dp_stream_stat #output alert_fast #output log_dump #output alert_syslog #output log_pcap output alert_acid_db: mysql, database snort, server localhost, user sensor output log_acid_db: mysql, database snort, server localhost, user sensor, detail full ------------------------------------------------ /etc/init.d/barnalert Loading Data Processors... dp_alert loaded dp_log loaded dp_stream_stat loaded Loading Built-in Output Plugins... Fast Alert plugin initialized AlertSyslog initialized Log Dump plugin initialized LogPcap initialized AcidDb output plugin initialized AlertCSV initialized Parsing Config file: /opt/sentinel/sensor/conf/barnyard.conf Args: mysql, database snort, server localhost, user sensor Args: mysql, database snort, server localhost, user sensor, detail full Barnyard Version 0.1.0 (Build 17) started AcidDbOpStart sensor_id == 1 OpAcidDB configuration details Database Flavour: mysql Detail Level: Fast Database Server: localhost Database User: sensor SensorID: 1 AcidDbOpStart Complete Exiting AcidDbOpStop ------------------------------------------------------ Loading Data Processors... dp_alert loaded dp_log loaded dp_stream_stat loaded Loading Built-in Output Plugins... Fast Alert plugin initialized AlertSyslog initialized Log Dump plugin initialized LogPcap initialized AcidDb output plugin initialized AlertCSV initialized Parsing Config file: /opt/sentinel/sensor/conf/barnyard.conf Args: mysql, database snort, server localhost, user sensor Args: mysql, database snort, server localhost, user sensor, detail full Barnyard Version 0.1.0 (Build 17) started AcidDbOpStart sensor_id == 2 OpAcidDB configuration details Database Flavour: mysql Detail Level: Full Database Server: localhost Database User: sensor SensorID: 2 AcidDbOpStart Complete Exiting AcidDbOpStop ------------------------------------------------------ mysql -e "select * from sensor" snort+-----+----------+-----------+--------+--------+----------+----------+| sid | hostname | interface | filter | detail | encoding |last_cid |+-----+----------+-----------+--------+--------+----------+----------+| 1 | sensor2 | x | x | 0 | 0 |0 || 2 | sensor2 | x | x | 1 | 0 |0 |+-----+----------+-----------+--------+--------+----------+----------+-----Ursprüngliche Nachricht----- Von: Jochen Vogel [mailto:jvogel () it-sec de] Gesendet: Dienstag, 7. Oktober 2003 14:49 An: snort-users () lists sourceforge net Betreff: [Snort-users] acid - barnyard - payload hi, i use snort -> barnyard -> mysql <-acid and want to showthe payloads.is use 2 barnyard scripts: barnalert for the alert file barnlog for the log file if i run barnalert i get messages but no payload if i run barnlog i get nothing if i run both barnalert get SID1 and barnlog get SID2 but acid shows SID1 only without payload if i run both and give barnlog SID1 i get an error message because duplicate entries. how can i show the payload? thx for help jo ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: acid - barnyard - payload Jochen Vogel (Oct 08)
- <Possible follow-ups>
- AW: acid - barnyard - payload Jochen Vogel (Oct 09)
- AW: acid - barnyard - payload Jochen Vogel (Oct 13)