Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Snort - Barnyard - Waldo Files

from [Wes Young] Network Security [Permanent Link]
Subject: [Snort-users] Snort - Barnyard - Waldo Files
Date: Tue, 28 Dec 2004 09:49:05 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Morning all, I know most of you are on vacation, but for the geeks that
never take a break....

I am writing a script that takes a log_dump file from barnyard, creates
a snortalog report and posts it to a website... Everything works well
except if the logfile specified in the waldo file (barnyard) is moved to
the archive directory when barnyard is momentarily stopped... when
barnyard is restarted, it's stuck on the old log and just sits there...

the script looks something like:

<SNIP>
/etc/init.d/barnyard stop
mv /data/logs/si1/snort_log.log /opt/snortalog
/etc/init.d/barnyard start

# Change this later to check and see if the rules have been updated
# Less overhead, implement a check file or something....
cat /data/rules/si1/*.rules | /opt/snortalog/snortalog.pl -genref rules

/opt/snortalog/snortalog.pl -c -r -w -file /opt/snortalog/snort_log.log
- -h index.html -u /var/www/html/snortalog/ -src -src_attack -src_dst_attack

rm /opt/snortalog/snort_log.log
</SNIP>

All the configs (including the waldo file are specified in the barnyard
startup script...

I know there are ways to filter out certain timeframes for snortalog,
but for simplicity, I want to just generate stats for the last hour,
hense the Barnyard-STOP, move log file, start barnyard (to create new
blank dump_log). Only problem is, if for (whatever reason), the
[unified] logfile is archived between the stop and start, the waldo file
is incorrect and barnyard stops processing...

Should I just run a check to see if the file specified in teh waldo
exists, if so, start, if not, remove the waldo file and start [from
scratch]..? or is there a better way to do it...? Right now I have the
unified log's maxsize at 128meg and barnyard is doing the archiving...
When this happens, its no where near 128meg, so it can't be snort that
is cutting off the file, it's got to be barnyard, but I can't figure out
why (when barnyard stops and archives the log) it doesn't update the
waldo file......

Anyone else seen this??

TIA
- --
Wes Young
Network Security Analyst
University at Buffalo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFB0XJgzLe0Tk6uDXYRAj6QAJ47ltae9WtYpNkMWcd91osu7ysRgwCgp1nn
rpWkbb5LiCw+KU5Vu40KWTE=
=98sR
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] Snort - Barnyard - Waldo Files, Wes Young <=
Previous by Date:  Re: [Snort-users] SNort FlexResp Questions, Rich Adamson
Next by Date:  [Snort-users] Oinkmaster and multiple URLs, Andreas Östling
Previous by Thread:  [Snort-users] Snort -2.3.0 RC2 dumps core, Senthil Prabu.S
Next by Thread:  [Snort-users] Oinkmaster and multiple URLs, Andreas Östling
Indexes:  [Date] [Thread] [Top] [All Lists]