|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] barnyard processing of unified snort files
From: Andrew R. Baker (andrewb
snort.org)
Date: Sun Jul 06 2003 - 09:19:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Scott Renna wrote:
> Hello all,
>
> I have gotten everything running nice and smoothly with Snort and
> Barnyard now, but I was wondering about Snort Unified Alert file names.
> The files that I have are snort.alert.######
> and snort.log.########. According to Barnyard docs, these #s represent
> the time in seconds since epoch. Is there any way to actually set these
> so that they output in date and time format that is a little more
> humanly comprehensible? The problem I'm running into when using
> Barnyard with these files is that the output logs that barnyard spits
> out, don't show the proper time, it's off by about 4 hours. I have
> checked my machine and its time is set properly.
>
> Has anyone else seen something like this in alert_fast.log?:
>
By default, Barnyard will use UTC for all timestamps. To configure it
to use local timestamps, add "config localtime" to your barnyard.conf.
UTC is preferred over localtime since it does not have the time gaps and
duplications associated with daylight savings time. Also, it tends to
make things easier when corresponding with people in remote locations.
> Also, while I'm emailing this off, I had a question in regards to
> utilizing the -f switch for continuous processing. The docs for
> barnyard say to specify the spool so i'm running two barnyard processes
> one with -f /var/log/snort/snort.alert and one with -f
> /var/log/snort/snort.log in order to have it review both types of files.
> Is this proper syntax or is there a better way?
Currently, that is the best way.
-A
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]