Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Barnyard, Mudpit, and the Unified Output Format

From: "M Shirk" <shirkdog_linux () hotmail com>
Date: Tue, 24 Aug 2004 08:05:28 -0400
I really have some questions about the Unified Output Format, and issues I have experienced.
Using Barnyard 0.2, and Mudpit 1.3, I have been able to run snort using the Unified Output Format (UOF) output plug-in. I have the snort.log.192832 and snort.alert.192832 files in /var/log/snort. 

Quick digression:
It takes intuition to install Mudpit, you have to customize the makefiles in the output/acid directory to have the correct location of the mysql header and library files. You also have to link directly to an object file that after you run "make install" will be in the source tree under output/acid. I will try to work on a mudpit how-to, and post it to the list. 

Back to the story:
After messing around, I am able to input alerts into the MySQL database. However, the SIDS are not correct. I checked the mappings and both barnyard and mudpit were referencing the /etc/snort/*.map files and the classification file in the same directory. I am not sure if this is an issue when working with snort22, but only certain alerts would show up with the correct sid and name. All I was doing was telneting to port 80 and doing a GET /../../cat/etc/passwd HTTP/1.1 and I also was nmaping to port 80 and 443.
Which brings me to a topic of discussion. Along with the issue above, there is no payload, no packet data. Now the reason to be running snort in this manner is to help with performance. But I was under the impression that snort will dump everything to the log file, including the payload in a binary format and then a separate process such as Barnyard or Mudpit will decode and input the payload into the MySQL database for use with ACID. I was mucking around with the output code for Mudpit and did find that there is a function for the data and data_payload. I just want to know if this is the true nature of the output plug-in; to allow snort to sniff at top speed, or if there is something wrong with my setup. 

Look forward to your comments.

Shirkdog

_________________________________________________________________
Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx 



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: