Snort mailing list archives
Re: Snort + barnyard2 + BASE
From: firnsy <firnsy () securixlive com>
Date: Sun, 25 Oct 2009 15:00:37 +1030
Shenk, Jerry A wrote:
Thanks for looking...I'm not sure what the deal is here...spent most of the day on this...switching between versions of barnyard, trying to track down what I can. I'm getting data in the /var/log/snort/snort.log.xxxx files. Barnyard2 seems to be reading those files and with the new version, it's summarizing the hits (ETH, IPV4, TCP, UDP, etc.). But, I'm not getting any output from barnyard...I've primarily tried the syslog and database (mysql) options.
Light bulb! If you have /var/log/snort/snort.log.XXXX files I'm assuming you're using an output directive in your snort configuration along the lines of:
output log_unified2: ...If this is the case then you are outputting packet information only to the log file and no alert information. On top of that you're trying to source the alert information to send to the database, which is non existent.
The directives "alert_unified2" and "log_unified2" are legacies of the original unified setup, that required barnyard-0.2.0 to read.
In the old set up you had alert file(s) which store snort events only (ie no packet information) and log file(s) which store the offending packets only (ie no snort alert information). It was then necessary for barnyard-0.2.0 (the original) to process both of these files to appropriately output information.
When unified2 came along the idea was have _both_ alert and log information in the one file as well as have the flexibility to add other information such as portscan, or statistic type records.
It was deemed necessary to also provide legacy support for the old set up and that is to allow unified2 information to be explicitly outputted into a dedicated alert and log file.
However barnyard2 is designed to work with the true unified2 file where both alert and log data coexist in the same file. To instantiate this file the snort configuration output directive should look like the following:
output unified2: filename snort.u2, limit 128Note the absence of the legacy "alert_" and "log_" prefixes. This seems to be the biggest stumbling block of people moving from unified (v1) to unified2 setups. Perhaps it should go in my faq ... hang about it's already there ;)
Hopefully this fixes your issue, but I'll still look to see if it's something in the code.
Regards, -- firnsy www.securixlive.com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- <Possible follow-ups>
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE firnsy (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 24)
- Re: Snort + barnyard2 + BASE firnsy (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 25)
- Re: Snort + barnyard2 + BASE firnsy (Oct 25)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 25)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Paul Schmehl (Oct 24)
- Re: Snort + barnyard2 + BASE Shenk, Jerry A (Oct 25)