Snort mailing list archives
Re: snort 2.9.6.2 unified2
From: John Hally <JHally () EBSCO COM>
Date: Tue, 23 Sep 2014 09:23:52 +0000
Hi Michael, Barnyard config: config reference_file: /etc/snort/etc/reference.config config classification_file: /etc/snort/etc/classification.config config gen_file: /etc/snort/etc/gen-msg.map config sid_file: /etc/snort/etc/sid-msg.map config daemon config logdir: /var/log/snort config hostname: snort1 config interface: eth1 config alert_with_interface_name config waldo_file: /tmp/barnyard2.waldo config reference_net: 10.0.0.0/8 config archivedir: /var/log/barnyard2/archive config process_new_records_only input unified2 output database: log, mysql, user=snort password=###### dbname=###### host=####.####.com Relavent snort config: config logdir: /var/log/snort output unified2: filename snort.log, limit 128, nostamp Startup of barnyard2: /usr/local/bin/barnyard2 -u snort -g snort -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -w /var/log/barnyard2/barnyard2.waldo Startup of snort: /usr/local/bin/snort -D -i eth1 -u snort -g snort -c /etc/snort/etc/snort.conf Thanks for the help! John. On 9/22/14, 9:40 PM, "Shirkdog" <shirkdog () gmail com> wrote:
Now we need your barnyard config to show that it is reading unified2 format. If your barnyard is 2.1-13 BETA (current git checkout), you should have this in your conf file # this is not hard, only unified2 is supported ;) input unified2 --- Michael Shirk On Mon, Sep 22, 2014 at 9:18 PM, John Hally <JHally () ebsco com> wrote:Hi All, I¹m having an issue that I just cant figure out. I¹m trying to combine alerts and logs in uniified2 format which I have the following in my snort.conf file: output unified2: filename snort.log, limit 128, nostamp The issue is when I try to get barnyard2 to process the file. It seems that if I run snort like the following, barnyard2 reports that its waiting for a spool file: /usr/local/bin/snort -D -i eth1 -u snort -g snort -c /etc/snort/etc/snort.conf And barnyard2 never finds the snort.log file that is created. BUT if I run snort this way: /usr/local/bin/snort -A full -D -i eth1 -u snort -g snort c /etc/snort/etc/snort.conf barnyard2 finds the snort.log.##### filename that gets created, but I think the file format isnt correct. Sorry if this is more of a barnyard2 issue than snort Thanks! John ------------------------------------------------------------------------- ----- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clk trk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-------------------------------------------------------------------------- ---- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clkt rk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort 2.9.6.2 unified2 John Hally (Sep 22)
- Re: snort 2.9.6.2 unified2 Shirkdog (Sep 22)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
- Re: snort 2.9.6.2 unified2 Shirkdog (Sep 22)