Snort mailing list archives
Re: output plugins barnyard2
From: firnsy <firnsy () securixlive com>
Date: Fri, 18 Dec 2009 18:10:24 +1030
On Fri, 2009-12-18 at 12:38 +0530, Pradeep Lamabam wrote:
thanks a lot !! After reading your suggestion, i changed the commands to run barnyard2. It worked nicely. Now i can read the log files using log_tcpdump in barnyard2.conf with wireshark.
Good to hear (read), In short as of the 2-1.7 release there was a reasonable change in the configuration file format to better align with that of Snort. In addition the log_tcpdump plugin will operate as expected and will attempt to autodetect the pcap format to write out to.
On Thu, Dec 17, 2009 at 4:31 PM, firnsy <firnsy () securixlive com>
wrote:
On Thu, 2009-12-17 at 15:55 +0530, Pradeep Lamabam wrote:
> Location of barnyard2 files:
> /etc/snort/barnyard2.conf (THIS ONE I COPIED DURING
INSTALLATION!!)
> /usr/local/etc/barnyard2.conf (THIS ONE I DIDN'T GET IN
V1.6)
> /usr/local/barnyard2-1.8-beta1
> /usr/local/barnyard2-1.8-beta1/etc/barnyard2.conf
> /usr/local/barnyard2-1.8-beta1/rpm/barnyard2
> /usr/local/barnyard2-1.8-beta1/rpm/barnyard2.config
> /usr/local/barnyard2-1.8-beta1/rpm/barnyard2.spec
> /usr/local/barnyard2-1.8-beta1/src/barnyard2
> /usr/local/barnyard2-1.8-beta1/src/barnyard2.o
> /usr/local/barnyard2-1.8-beta1/src/barnyard2.c
> /usr/local/barnyard2-1.8-beta1/src/barnyard2.h
> /usr/local/bin/barnyard2
>
> barnyard2.conf (in /etc/snort)
> 1 alert_fast: /var/log/snort/barnyard2.alerts
> 2 output log_tcpdump: tcpdump.log
> 3 output database: alert, mysql, user=snort
password=password
> dbname=snort host=localhost
>
> barnyard command:
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf
> -d /var/log/snort -f snort.log
-w /var/log/snort/barnyard.waldo -D
>
> barnyard.waldo
> -rw-r--r-- 1 root root 38 2009-12-17 14:58
barnyard.waldo
> -rw------- 1 snort snort 0 2009-12-17 14:58
snort.log.1261042083
>
> /var/log/snort snort.log 1261042083 0
>
> The issue still is: barnyard2 is not running. checked using
ps-e|grep
> barnyard2
>
I see a couple of issues with your configuration ...
barnyard2 is not running because it is likely erroring on the
absence of
"/var/log/barnyard2". It would be looking for this directory
due to an
alternative being defined in either the conf file (using
"config
logdir") or at the command line (using "-l").
please try running barnyard with the following command:
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf
-l /var/log/snort
-d /var/log/snort -f snort.log
-w /var/log/snort/barnyard.waldo -D
Also please omit the "-D" option during testing so you can see
any
errors being written to stdout.
Lastly your alerts will not have any useful information
assigned to them
as they don't contain any reference files defined in the conf
file.
Please see the supplied barnyard2.conf for a good example.
Regards, -- firnsy www.securixlive.com
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- output plugins barnyard2 Pradeep Lamabam (Dec 15)
- Re: output plugins barnyard2 firnsy (Dec 16)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: output plugins barnyard2 firnsy (Dec 17)
- Message not available
- Re: output plugins barnyard2 firnsy (Dec 16)