OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alwin Raymundo (alrayworld_at_yahoo.com)
Date: Tue Oct 15 2002 - 08:05:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Bamm,

    Thanks for your help. I have a few question for you
    if you dont mind.

    1. where I can find this op_acid_db?

    I follow what you have stated below
    in snort.conf
    output log_unified: filename snort.log, limit 128

    in my barnyard.conf
    config hostname: snorthost
    config interface: fxp0
    config filter: not port 22
    processor dp_alert
    processor dp_log
    processor dp_stream_stat
    output alert_fast
    output log_dump
    output alert_acid_db: mysql, sensor_id 1, database
    snort, server localhost, user usnort, password loghog

    When I ran BY I got this error messages

    -*> Barnyard! <*-
    Version 0.1.0-rc3 (Build 11)
    By Andrew R. Baker (andrewbsnort.org)
    and Martin Roesch (roeschsourcefire.com,
    www.snort.org)

    Loading Data Processors...
    dp_alert loaded
    dp_log loaded
    dp_stream_stat loaded
    Loading Built-in Output Plugins...
    Fast Alert plugin initialized
    AlertSyslog initialized
    Log Dump plugin initialized
    LogPcap initialized
    AcidDb output plugin initialized
    AlertCSV initialized
    Parsing Config file: /etc/snort/barnyard.conf
    Args: mysql, sensor_id 1, database snort, server
    localhost, user usnort, password loghog
    WARNING: absolute path in -f <filename> is overriding
    -d <spool_dir> setting.
    WARNING: spool_dir set to "/var/log/snort"
    Barnyard Version 0.1.0-rc3 (Build 11) started
    ERROR => No input plugin found for magic: a1b2c3d4

    what does it mean "no input plugin found for magic:
    a1b2c3d4"

    I search for this in the previous usenet but the
    advice was to upgrade the barnyard and the rules but I
    think I have the new one.

    I'm new with barnyard. Thanks in Advance for your
    help
    --- Bamm Visscher <bammsatx.rr.com> wrote:
    > I use a modified (different DB schema) op_acid_db
    > and it inserts
    > "payload" data. op_acid_db should also. Check to
    > make sure you are using
    > the log_unifed output plugin (alert_unified doesn't
    > log packet data).
    > When you run BY, make sure it is reading the
    > log_unified output (i.e. -f
    > snort.log). IIRC, BY cannot read log_unified and
    > alert_unified at the
    > same time. Finally, in your barnyard.conf, make sure
    > you use 'output
    > log_acid_db' (vice 'output alert_acid_db'.
    >
    > Bammkkkk
    >
    > On Tue, 2002-10-01 at 07:31, Ron Shuck wrote:
    > > Hey Alwin,
    > >
    > > I found the same results. I haven't heard if there
    > are plans to include
    > > this, or if it should work and we just missed
    > something.
    > >
    > >
    > > Ron Shuck, CISSP - Managing Consultant
    > > Buchanan Associates - A Technology Company in the
    > People Business
    > > http://www.buchanan.com
    > > http://www.isc2.org
    > >
    > >
    > > ---original message---
    > > Date: Mon, 30 Sep 2002 11:36:39 -0700 (PDT)
    > > From: Alwin Raymundo <alrayworldyahoo.com>
    > > To: user snort <snort-userslists.sourceforge.net>
    > > Subject: [Snort-users] barnyard (Payload)
    > >
    > > Hi Everybody,
    > >
    > > I don't know if this is already posted in previous
    > > discussion and this morning I just setup the
    > barnyard.
    > > I like it because it fast to log all packets in
    > my
    > > mysql and acid but I notice there is no payload.
    > >
    > > Is this normal? is there in another way to get the
    > > payload?.
    > >
    > > Any help would be appreciated.
    > >
    > > Thanks in advance.
    > >
    > >
    > >
    >
    >
    >
    >
    >
    -------------------------------------------------------
    > This sf.net email is sponsored by: DEDICATED SERVERS
    > only $89!
    > Linux or FreeBSD, FREE setup, FAST network. Get your
    > own server
    > today at http://www.ServePath.com/indexfm.htm
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or
    > unsubscribe:
    >
    https://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    >
    http://www.geocrawler.com/redir-sf.php3?list=snort-users

    =====
    Alwin Raymundo

    __________________________________________________
    Do you Yahoo!?
    New DSL Internet Access from SBC & Yahoo!
    http://sbc.yahoo.com

    -------------------------------------------------------
    This sf.net email is sponsored by:ThinkGeek
    Welcome to geek heaven.
    http://thinkgeek.com/sf
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users