Snort mailing list archives
AW: Barnyard & SnortAlog
From: "Povel, Michael" <Michael.Povel () umusic com>
Date: Thu, 6 May 2004 16:02:31 +0200
Sorry, I had a duplicated line in my patch. Please remove the first
+ protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp,
cu
Michael
-----Ursprüngliche Nachricht-----
Von: Povel, Michael
Gesendet: Donnerstag, 6. Mai 2004 14:23
An: 'Cédric BLIN'; 'snort-users () lists sourceforge net'
Betreff: AW: [Snort-users] Barnyard & SnortAlog
Hello all,
with a little change on the output plugin of barnyard, I was able to read
the cerated output with snortalog. I modified the format to meet a little
bit more the format snort uses:
--- sik/op_fast.c 2004-05-06 13:14:21.000000000 +0200
+++ op_fast.c 2004-05-06 13:23:48.000000000 +0200
@@ -174,6 +174,14 @@
if(ad->protocol == IPPROTO_TCP ||
ad->protocol == IPPROTO_UDP)
{
+ fprintf(afd->file, "%s [**] [%d:%d:%d] %s [**] [Classification: %s]
[Pr
iority: %d] {%s} %s:%d -> %s:%d\n", timestamp,
+ protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp,
+ ad->event.sig_generator, ad->event.sig_id,
ad->event.sig_rev,
+ tmp != NULL?tmp->msg:"ALERT",
+ ct != NULL?ct->name:"Unknown", ad->event.priority,
+ protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp
+ );
+/* Orig
fprintf(afd->file, "%s {%s} %s:%d -> %s:%d\n"
"[**] [%d:%d:%d] %s [**]\n"
"[Classification: %s] [Priority: %d]\n", timestamp,
@@ -181,9 +189,16 @@
ad->event.sig_generator, ad->event.sig_id,
ad->event.sig_rev,
tmp != NULL?tmp->msg:"ALERT",
ct != NULL?ct->name:"Unknown", ad->event.priority);
+*/
}
else
{
+ fprintf(afd->file, "%s [**] [%d:%d:%d] %s [**] [Classification: %s]
[Pr
iority: %d] {%s} %s -> %s\n", timestamp,
+ ad->event.sig_generator, ad->event.sig_id,
ad->event.sig_rev,
+ tmp != NULL ? tmp->msg : "ALERT",
+ ct != NULL ? ct->name : "Unknown", ad->event.priority,
+ protocol_names[ad->protocol], sip, dip );
+/*
fprintf(afd->file, "%s {%s} %s -> %s\n"
"[**] [%d:%d:%d] %s [**]\n"
"[Classification: %s] [Priority: %d]\n", timestamp,
@@ -191,12 +206,15 @@
ad->event.sig_generator, ad->event.sig_id,
ad->event.sig_rev,
tmp != NULL ? tmp->msg : "ALERT",
ct != NULL ? ct->name : "Unknown", ad->event.priority);
+*/
}
PrintXref(ad->event.sig_generator, ad->event.sig_id, afd->file);
+/*
fprintf(afd->file,
"-----------------------------------------------------"
"-------------------\n");
+*/
fflush(afd->file);
return 0;
-----Ursprüngliche Nachricht-----
Von: Cédric BLIN [ mailto:cedric.blin () evidian com
<mailto:cedric.blin () evidian com> ]
Gesendet: Mittwoch, 5. Mai 2004 14:29
An: snort-users () lists sourceforge net
Betreff: [Snort-users] Barnyard & SnortAlog
Hi all,
here is my first post, excuse my english.
I want to know if someone use Barnyard & SnortAlog
and how I must configure them.
I use unified_log and Barnyard extract snort.alert.xxx to fast.alert
but SnortAlog is not able to understand this alert file.
Regards,
Cedric BLIN
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149
<http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click>
&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>
Current thread:
- AW: Barnyard & SnortAlog Povel, Michael (May 06)
- <Possible follow-ups>
- AW: Barnyard & SnortAlog Povel, Michael (May 06)