barnyard2, syslog and pulling the packet data

[Ran Regev <ran_r () radiflow com>]

Hello everyone,

This is the requirement:
> From a syslog message that describes an alert to be able to grab the entire
packet that caused this alert.

I thought of few ways to do this, and after considering other requirements
as well, came to the conclusion that I would like to work in this way:

1. snort output to unified2 files.
2. barnyard2 reads the files and takes two outputs:
a. syslog.
b. database.

Based on the information in the syslog message, I'll be able to correlate
between the message and the saved event.

As far as I understand, the correlation should be done using sid and cid.
However, I can't find them in the syslog message.

Am I missing something?

Ran.

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!