Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-devel] Barnyard & Snort

From: peleus <peleus () anonymizer com>
Date: Mon, 18 Nov 2002 16:17:03 -0800 (PST)
Hello all,

        I have made some changes to Barnyard's Fast Alert output to allow
it to more closely mimick Snort's Fast Alert output.  The problem I had
with the existing format was that it was not compatible with SnortSnarf
and other utilities.
        The changes are all in the op_fast.c file so you should just need
to place it in the barnyard_source/src/output-plugins/ directory and
recompile.  I have made the file available for download at
http://www.peleus.net/snort/op_fast.c .  I did not attach the file because
I did not want to get flamed over sending attachments on a mailing list.
        In order to take advantage of the changes, you add the key word 
Standard_Mode to the output alert_fast configuration line.  For example:

output alert_fast: /var/log/snort/fast.alert Standard_Mode

        The code defaults to Barnyard's existing format.  All of the
changes are marked with tags /* ANONYMIZER CHANGE */ to make it easier for
the barnyard developers to audit the changes.  My guess is they will need
to rename the references to "Standard" since that is a relative term.  
The code has not been tested in multiple environments nor has it been
tested with all plugins so use at your own risk.  Myself and Anonymizer
are not liable for any damages caused by using this code.
        Known bugs include that it does not log detailed info on portscan2 
attacks the same way Snort does.  It is my understanding that Snort does 
not record that information while in unified output mode.
        I hope it works for you!

-Peleus



-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: