|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] Barnyard part 2
From: sekure (sekure
gmail.com)
Date: Thu Jul 29 2004 - 09:27:46 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-d {Snort_log_directory} -f unified.log
(since snort is configured to output log_unified: filename
unified.log, limit 128)
On Thu, 29 Jul 2004 10:13:02 -0400, Esler, Joel - Contractor
<joel.eslerrcert-s.army.mil> wrote:
> What command line options do you pass barnyard? Specifically your -d
> and -f options?
>
>
>
> -----Original Message-----
> From: sekure [mailto:sekuregmail.com]
> Sent: Thursday, July 29, 2004 10:07 AM
> To: Jeff Dell
> Cc: Esler, Joel - Contractor; snort-userslists.sourceforge.net
> Subject: Re: [Snort-users] Barnyard part 2
>
> > If your rules are alerts and you are outputting to log_unified you
> > will have issues...
> I don't think that's necessarily true. According to Snort docs: "The
> log file contains the detailed packet information ( a packet dump with
> the associated event id )".
>
> My sensors are configured to:
> output log_unified: filename unified.log, limit 128
>
> And barnyard is configured:
> output log_acid_db: mysql, database db, server server, etc...
>
> I found that I only need one output module for snort and one output
> module for barnyard. Barnyard takes care of extracting the pertinent
> information and entering it into the database, giving me the alert and
> the packet payload. If I had just output log_alert in snort.conf, or
> just output alert_acid_db in barnyard the packet detail wouldn't make it
> into the database. And having two output plugins in barnyard tries to
> enter the same event into it twice.
>
> Hmmm....I think that's right....
>
> HTH,
>
> ----- Original Message -----
> From: Jeff Dell <jdellactiveworx.com>
> Date: Thu, 29 Jul 2004 09:36:17 -0400
> Subject: RE: [Snort-users] Barnyard part 2
> To: "Esler, Joel - Contractor" <joel.eslerrcert-s.army.mil>,
> snort-userslists.sourceforge.net
>
> Make sure you are alerting to unified as well. i.e. uncomment the
> following line in your snort.conf file:
>
> output alert_unified: filename snort.alert, limit 128
>
> If your rules are alerts and you are outputting to log_unified you will
> have issues...
>
> Jeff
>
> ________________________________
> From: snort-users-adminlists.sourceforge.net
> [mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Esler,
> Joel - Contractor
> Sent: Thursday, July 29, 2004 8:46 AM
> To: Esler, Joel - Contractor; snort-userslists.sourceforge.net;
> Maetzky, Steffen (Extern)
> Subject: RE: [Snort-users] Barnyard part 2
>
> I see that my Snort -> mysql used the "log" facility. Is there a
> similar command in barnyard, or do I have to change my rules from alert
> to log?
>
> J
>
> -----Original Message-----
> From: snort-users-adminlists.sourceforge.net
> [mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Esler,
> Joel - Contractor
> Sent: Thursday, July 29, 2004 8:40 AM
> To: snort-userslists.sourceforge.net; Maetzky, Steffen (Extern)
> Subject: [Snort-users] Barnyard part 2
>
> Okay, Now, previous setup was Snort logging directly to mysql. Now it
> is logging to unified, Barnyard is now processing the mysql entries,
> however, it is not inputting the packet data into ACID. Where did the
> packet data go?
>
> J
>
> (barnyard.conf)
>
> output alert_acid_db: mysql, sensor_id 7, database snort, server
> 127.0.0.1, user snort output log_acid_db: mysql, database snort, server
> 127.0.0.1, user snort, detail full
>
> Do i need to comment out alert_acid_db, and make it just "log_acid_db?
>
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]