snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Barnyard: Syslog output FAIL!

Re: [Snort-users] Barnyard: Syslog output FAIL!

From: Nick Moore <nmoore_at_nospam>
Date: Fri Nov 13 2009 - 18:25:32 GMT
To: "Chan, Wilson" <wchan@honolulu.gov>


Wilson,

I covered this in my setup guides on Snort.org. Please download either the Fedora or Ubuntu version and give it a shot.

Sent from my mobile device.

Nick Moore
Phone 708-336-9041
Email nmoore@Sourcefire.com

On Nov 13, 2009, at 10:57, "Chan, Wilson" <wchan@honolulu.gov> wrote:

> Is there any howto's on getting barnyard2 working? I tried google
> and didn't seem to find any complete configs and templates on
> getting barnyard2 working with mysql and syslog.
>
>
> ----- Original Message -----
> From: Jason Wallace <jason.r.wallace@gmail.com>
> To: snort-users@lists.sourceforge.net <snort-users@lists.sourceforge.net
> >
> Sent: Fri Nov 13 04:26:26 2009
> Subject: Re: [Snort-users] Barnyard: Syslog output FAIL!
>
> I would recommend having snort output using the unified2 format and
> use barnyard2 http://www.securixlive.com/barnyard2/download.php
>
> The unified2 format has both the alert and log information in one file
> so you only need one instance of barnyard2. The original barnyard is
> outdated, unmaintained, and does not support unified2. You're not
> likely to get a lot of help using the original version of barnyard.
>
> On Thu, Nov 12, 2009 at 9:37 PM, Chan, Wilson <wchan@honolulu.gov>
> wrote:
>> Why is barnyard not outputting to syslog? Configurations below:
>>
>>
>>
>> What is driving me nuts is when I run in batch mode for snort.log
>> nothing
>> happens on syslog but as soon as I run batch mode in alert it get
>> output.
>> How do you get syslog to report on the snort.log files in daemon
>> mode?
>>
>>
>>
>> barnyard -o snort.log.1258079148 –v
>>
>> barnyard -o snort.alert.1258079148 -v
>>
>>
>>
>> ==barnyard.conf==
>>
>> config daemon
>>
>> config localtime
>>
>> config hostname: snort-test-laptop
>>
>> config interface: eth2
>>
>> output log_dump
>>
>> output alert_syslog: LOG_LOCAL4 LOG_ALERT
>>
>>
>>
>> ==/etc/syslog.conf==
>>
>> #Output logs from Barnyard to Syslog Server (remote)
>>
>> local4.* @192.168.1.1
>>
>>
>>
>>
>>
>> Wilson
>>
>>
>>
>> ---
>> ---
>> ---
>> ---------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports
>> 2008 30-Day
>> trial. Simplify your report design, integration and deployment -
>> and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ---
> ---
> ---
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---
> ---
> ---
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Sent from my mobile device.

Nick Moore
Phone 708-336-9041
Email nmoore@Sourcefire.com

On Nov 13, 2009, at 10:57, "Chan, Wilson" <wchan@honolulu.gov> wrote:

> Is there any howto's on getting barnyard2 working? I tried google
> and didn't seem to find any complete configs and templates on
> getting barnyard2 working with mysql and syslog.
>
>
> ----- Original Message -----
> From: Jason Wallace <jason.r.wallace@gmail.com>
> To: snort-users@lists.sourceforge.net <snort-users@lists.sourceforge.net
> >
> Sent: Fri Nov 13 04:26:26 2009
> Subject: Re: [Snort-users] Barnyard: Syslog output FAIL!
>
> I would recommend having snort output using the unified2 format and
> use barnyard2 http://www.securixlive.com/barnyard2/download.php
>
> The unified2 format has both the alert and log information in one file
> so you only need one instance of barnyard2. The original barnyard is
> outdated, unmaintained, and does not support unified2. You're not
> likely to get a lot of help using the original version of barnyard.
>
> On Thu, Nov 12, 2009 at 9:37 PM, Chan, Wilson <wchan@honolulu.gov>
> wrote:
>> Why is barnyard not outputting to syslog? Configurations below:
>>
>>
>>
>> What is driving me nuts is when I run in batch mode for snort.log
>> nothing
>> happens on syslog but as soon as I run batch mode in alert it get
>> output.
>> How do you get syslog to report on the snort.log files in daemon
>> mode?
>>
>>
>>
>> barnyard -o snort.log.1258079148 –v
>>
>> barnyard -o snort.alert.1258079148 -v
>>
>>
>>
>> ==barnyard.conf==
>>
>> config daemon
>>
>> config localtime
>>
>> config hostname: snort-test-laptop
>>
>> config interface: eth2
>>
>> output log_dump
>>
>> output alert_syslog: LOG_LOCAL4 LOG_ALERT
>>
>>
>>
>> ==/etc/syslog.conf==
>>
>> #Output logs from Barnyard to Syslog Server (remote)
>>
>> local4.* @192.168.1.1
>>
>>
>>
>>
>>
>> Wilson
>>
>>
>>
>> ---
>> ---
>> ---
>> ---------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports
>> 2008 30-Day
>> trial. Simplify your report design, integration and deployment -
>> and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ---
> ---
> ---
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---
> ---
> ---
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users