Re: [Snort-users] Barnyard woes

From: Andrew R. Baker <andrewb(at)snort.org>
Date: Tue Feb 18 2003 - 22:16:50 EST

Joerg Weber wrote:
>
> Here's my problem:
> 1) I'd like to use SnortCenter to maintain my sensors. SnortCenter adds
> the unified_plugin like this:
> output log_unified: filename snort-unified, limit 500
> but no alert_unified:
> Should I add this by hand via a preprocessor?

If you are only using the database output, you do not need to the unified alert file. All of the alert data should be in the unified log file.

> 2) Snort's running fine and happily logging into

First off, I would recommend upgrading to the actual 0.1.0 release version of Barnyard, it fixes several bugs. The messages you are seeing is an attempt to not process tagged packets. As can be seen from comments in the released code, it does not work (and is disabled).

> 3) Same happens when I try to run barnyard with the -f

Uh, Barnyard should not be able to read scan.log. It is probably ignoring the -f on the command line and using the info from the waldo file.

> 4) The reason I'm running into this is my dislike of running two
> instances of barnyard, one for log, one for alert. Isn't there a more
> clever way to do things?

Depends what you want. As I said before, for just database, processing only the unified log is ok. If you want syslog and/or alert_fast too output, then you will need to run two instances of Barnyard.

-A

---

This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Tue Feb 18 22:23:00 2003