Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Fwd: Re[4]: [Snort-users] unified format

from [Igor Belikov] Network Security [Permanent Link]
Subject: Re: Fwd: Re[4]: [Snort-users] unified format
Date: Mon, 22 Aug 2005 17:56:46 +0300 
Hello Bamm,

Friday, August 19, 2005, 5:55:01 PM, you wrote:

BV> I wonder if this is a waldo file issue. If you originally ran barnyard
BV> watching the unified alert file, then switched it to watching the
BV> unifed log file that may have caused problems with barnyard.

I'm sure that it's not a waldo file, because I'm removing old logs (and
old waldo file) before every run snort+barnyard.

BV> Try removing $SNORT_LOG/barnyard.waldo and then start barnyard
BV> with the "-f snort.log". When you do this, run barnyard in the
BV> foreground send a copy of the std out back here.

OK. I'm running barnyard with "-R" and without "-R":

without "-R"

 - >8 - - >8 - - >8 - - >8 -

No bookmark file found, processing all events
Opened spool file '/var/log/snort/snort.log.1124719207'
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
SensorID: 1
Next CID: 19058
Waiting for new data
Exiting
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/barnyard/etc/barnyard.conf
  Spool dir:             /var/log/snort
  Gen-msg file:          Not specified
  Sid-msg file:          Not specified
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /var/log/snort/barnyard.waldo
  Pid file:              Not specified
  Verbosity level:       6
  Dry run flag:          Not Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        xxxxx
  Interface:       any
  BPF Filter:      Not specified
  Class file:      /usr/local/snort/etc/classification.config
  Sid-msg file:    /usr/local/snort/etc/sid-msg.map
  Gen-msg file:    /usr/local/snort/etc/gen-msg.map
  Daemon flag:     Not Set
  Localtime flag:  Set
Program Variables:
  Continual processing mode
  Config dir:    /usr/local/barnyard/etc
  Config file:   /usr/local/barnyard/etc/barnyard.conf
  Sid-msg file:  /usr/local/snort/etc/sid-msg.map
  Gen-msg file:  /usr/local/snort/etc/gen-msg.map
  Class file:    /usr/local/snort/etc/classification.config
  Hostname:      xxxxx
  Interface:     any
  BPF Filter:    
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     1
  Spool dir:     /var/log/snort
  Spool file:    snort.log
  Bookmark file: /var/log/snort/barnyard.waldo
  Record Number: 0
  Timet:         0
  Start at end:  0 

 - >8 - - >8 - - >8 - - >8 -

and (after Ctrl+C) with "-R" (with some extra info)

 - >8 - - >8 - - >8 - - >8 -

Starting data processing using information from bookmark file
Output plugins enabled for 'alert' records
-------------------------------------------------------
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
=======================================================
Output plugins enabled for 'log' records
-------------------------------------------------------
OpAcidDB configured
  Database Flavour: mysql
  Detail Level: Full
  Database Server: 192.168.x.x
  Database User: xxxxx
=======================================================
Output plugins enabled for 'stream_stat' records
-------------------------------------------------------
None configured
=======================================================
Barnyard Version 0.2.0 (Build 32)
Command line arguments:
  Config file:           /usr/local/barnyard/etc/barnyard.conf
  Spool dir:             /var/log/snort
  Gen-msg file:          Not specified
  Sid-msg file:          Not specified
  Class file:            Not specified
  Log dir:               Not specified
  Archive dir:           Not specified
  File base:             snort.log
  Waldo file:            /var/log/snort/barnyard.waldo
  Pid file:              Not specified
  Verbosity level:       6
  Dry run flag:          Set
  Batch mode flag:       Not Set
  Daemon flag:           Not Set
  New records only flag: Not Set
  Usage flag:            Not Set
  Version flag:          Not Set
Config file variables:
  Hostname:        xxxxx
  Interface:       any
  BPF Filter:      Not specified
  Class file:      /usr/local/snort/etc/classification.config
  Sid-msg file:    /usr/local/snort/etc/sid-msg.map
  Gen-msg file:    /usr/local/snort/etc/gen-msg.map
  Daemon flag:     Not Set
  Localtime flag:  Set
Program Variables:
  Continual processing mode
  Config dir:    /usr/local/barnyard/etc
  Config file:   /usr/local/barnyard/etc/barnyard.conf
  Sid-msg file:  /usr/local/snort/etc/sid-msg.map
  Gen-msg file:  /usr/local/snort/etc/gen-msg.map
  Class file:    /usr/local/snort/etc/classification.config
  Hostname:      xxxxx
  Interface:     any
  BPF Filter:    
  Log dir:       /var/log/snort
  Verbosity:     6
  Localtime:     1
  Spool dir:     /var/log/snort
  Spool file:    snort.log
  Bookmark file: /var/log/snort/barnyard.waldo
  Record Number: 63
  Timet:         1124719207
  Start at end:  0 

 - >8 - - >8 - - >8 - - >8 -

While barnyard running in process mode (without "-R") alert and log
files grows (so some events have place), but no events was written to
DB.
  

When I use "-f snort.alert" - I get alert events in DB, but don't get
payload. When I use "-f snort.log" - I don't get alert events in DB.



Ah, this may be the problem. If the rule action is "alert" then the data
presented to the output plugins does not include the payload. There is no
configuration of anything that can get around this, IIRC. You need to be
setting the actions to "log" if you want the payload.



-- 
Best regards,
 Igor                            mailto:ivb@is.ua



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Tapping into the ring buffer, sekure
Next by Date:  [Snort-users] TCP Portsweep, Cody Holland
Previous by Thread:  Fwd: Re[4]: [Snort-users] unified format, Bamm Visscher
Next by Thread:  [Snort-users] help, arun . seetha
Indexes:  [Date] [Thread] [Top] [All Lists]