Snort mailing list archives

AW: Barnyard & SnortAlog

From: "Povel, Michael" <Michael.Povel () umusic com>
Date: Thu, 6 May 2004 13:47:55 +0200
Hello all,
with a little change on the output plugin of barnyard, I was able to read
the cerated output with snortalog. I modified the format to meet a little
bit more the format snort uses:

--- sik/op_fast.c       2004-05-06 13:14:21.000000000 +0200
+++ op_fast.c   2004-05-06 13:23:48.000000000 +0200
@@ -174,6 +174,14 @@
     if(ad->protocol == IPPROTO_TCP ||
             ad->protocol == IPPROTO_UDP)
     {
+        fprintf(afd->file, "%s [**] [%d:%d:%d] %s [**] [Classification: %s]
[Pr
iority: %d] {%s} %s:%d -> %s:%d\n", timestamp, 
+                protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp,
+                ad->event.sig_generator, ad->event.sig_id,
ad->event.sig_rev,
+                tmp != NULL?tmp->msg:"ALERT", 
+                ct != NULL?ct->name:"Unknown", ad->event.priority,
+                protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp
+               );
+/* Orig
         fprintf(afd->file, "%s {%s} %s:%d -> %s:%d\n"
                 "[**] [%d:%d:%d] %s [**]\n"
                 "[Classification: %s] [Priority: %d]\n", timestamp, 
@@ -181,9 +189,16 @@
                 ad->event.sig_generator, ad->event.sig_id,
ad->event.sig_rev,
                 tmp != NULL?tmp->msg:"ALERT", 
                 ct != NULL?ct->name:"Unknown", ad->event.priority);
+*/
     }
     else
     {
+        fprintf(afd->file, "%s [**] [%d:%d:%d] %s [**] [Classification: %s]
[Pr
iority: %d] {%s} %s -> %s\n", timestamp, 
+                ad->event.sig_generator, ad->event.sig_id,
ad->event.sig_rev,
+                tmp != NULL ? tmp->msg : "ALERT", 
+                ct != NULL ? ct->name : "Unknown", ad->event.priority,
+                protocol_names[ad->protocol], sip, dip );
+/*
         fprintf(afd->file, "%s {%s} %s -> %s\n"
                 "[**] [%d:%d:%d] %s [**]\n"
                 "[Classification: %s] [Priority: %d]\n", timestamp, 
@@ -191,12 +206,15 @@
                 ad->event.sig_generator, ad->event.sig_id,
ad->event.sig_rev,
                 tmp != NULL ? tmp->msg : "ALERT", 
                 ct != NULL ? ct->name : "Unknown", ad->event.priority);
+*/
     }
 
     PrintXref(ad->event.sig_generator, ad->event.sig_id, afd->file);
 
+/*
     fprintf(afd->file,
"-----------------------------------------------------"
             "-------------------\n");
+*/
 
     fflush(afd->file);
     return 0;

-----Ursprüngliche Nachricht-----
Von: Cédric BLIN [mailto:cedric.blin () evidian com]
Gesendet: Mittwoch, 5. Mai 2004 14:29
An: snort-users () lists sourceforge net
Betreff: [Snort-users] Barnyard & SnortAlog


Hi all,

here is my first post, excuse my english.

I want to know if someone use Barnyard & SnortAlog
and how I must configure them.
I use unified_log and Barnyard extract snort.alert.xxx to fast.alert
but SnortAlog is not able to understand this alert file.

Regards,

Cedric BLIN



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

AW: Barnyard & SnortAlog Povel, Michael (May 06)
- <Possible follow-ups>
- AW: Barnyard & SnortAlog Povel, Michael (May 06)