Snort mailing list archives
Re: Load alerts read from file to database
From: Paul Li <paul () scybersecurity com>
Date: Mon, 6 Feb 2017 22:31:37 -0500
Hi Al, Just read again barnyard2 configuration file's comments: look like barnyard2 supports only u2 files. The issue on my side looks like that no u2 files were generated but only log files were generated. I reinstalled barnyard2. Now both u2 and log files were generated. Thanks again! Paul On Mon, Feb 6, 2017 at 6:28 PM, Paul Li <paul () scybersecurity com> wrote:
Thanks Al for the hints. Much appreciated. After Snort read a file, all the alerts are in a snort.log.xxxxx file. I tried to set up barnyard2 read snort.log as the base from the command line as the following: sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -g snort-user -u snort-pass But looks like barnyard2 is still reading the snort.u2 base file. here's c&p the messages from the console: ------console output----- Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.u2 time_stamp = 1486185613 record_idx = 0 Opened spool file '/var/log/snort/snort.u2.1486185613' .... ------console output end----- Tried to edit barnyard2.waldo, but looks like it's a binary file. Is there a way to make barnyard2 read snort.log.xxxxx instead of snort.u2.xxxxx? Thanks, Paul On Sat, Feb 4, 2017 at 6:10 PM, Al Lewis (allewi) <allewi () cisco com> wrote:Are the alert files in unified2 format? You may want to look here for some more info on barnyard. https://github.com/firnsy/barnyard2 https://github.com/firnsy/barnyard2/tree/master/doc *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Paul Li <paul () scybersecurity com> Date: Saturday, February 4, 2017 at 1:05 AM To: 'snort-users' <snort-users () lists sourceforge net> Subject: [Snort-users] Load alerts read from file to database I'm using Snort to read a file and Snort generates alerts. But when tried using Barnyard2 load these alerts to database, no alerts were loaded. Is there any configuration I should change to make it work, or Barnyard2 doesn't support loading alerts from files? (When Snort generates alerts from monitoring a networking interface, Barnyard successfully loaded alerts to the database.) Thanks, Paul
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Load alerts read from file to database Paul Li (Feb 03)
- Re: Load alerts read from file to database Al Lewis (allewi) (Feb 04)
- Re: Load alerts read from file to database Paul Li (Feb 06)
- Re: Load alerts read from file to database Paul Li (Feb 06)
- Re: Load alerts read from file to database Tural Aghazada (Feb 06)
- Re: Load alerts read from file to database wkitty42 (Feb 07)
- Re: Load alerts read from file to database Marcin Dulak (Feb 07)
- Re: Load alerts read from file to database Joel Esler (jesler) (Feb 07)
- Re: Load alerts read from file to database Paul Li (Feb 06)
- Re: Load alerts read from file to database Al Lewis (allewi) (Feb 04)