#------------------------------------------------------------- # http://www.snort.org Barnyard 0.1.0 configuration file # Contact: snort-barnyard@lists.sourceforge.net #------------------------------------------------------------- # $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $ ######################################################## # Currently you want to do two things in here: turn on # available data processors and turn on output plugins. # The data processors (dp's) and output plugin's (op's) # automatically associate with each other by type and # are automatically selected at run time depending on # the type of file you try to load. ######################################################## # Step 1: configuration declarations # To keep from having a commandline that uses every letter in the alphabet # most configuration options are set here # enable daemon mode # config daemon # use localtime instead of UTC (*not* recommended because of timewarps) #config localtime # set the hostname (currently only used for the acid db output plugin) config hostname: ypbind.de # set the interface name (currently only used for the acid db output plugin) config interface: eth0 # set the filter (currently only used for the acid db output plugin) config filter: # Step 2: setup the output plugins # alert_fast #----------------------------- # Converts data from the dp_alert plugin into an approximation of Snort's # "fast alert" mode. Argument: output alert_fast # log_dump #----------------------------- # Converts data from the dp_log plugin into an approximation of Snort's # "ASCII packet dump" mode. Argument: output log_dump # alert_csv (experimental) #--------------------------- # Creates a CSV output file of alerts (optionally using a user specified format) # Arguments: filepath [format] # # The format is a comma-seperated list of fields to output (no spaces allowed) # The available fields are: # sig_gen - signature generator # sig_id - signature id # sig_rev - signatrue revision # sid - SID triplet # class - class id # classname - textual name of class # priority - priority id # event_id - event id # event_reference - event reference # ref_tv_sec - reference seconds # ref_tv_usec - reference microseconds # tv_sec - event seconds # tv_usec - event microseconds # timestamp - prettified timestamp (2001-01-01 01:02:03) in UTC # src - src address as a u_int32_t # srcip - src address as a dotted quad # dst - dst address as a u_int32_t # dstip - dst address as a dotted quad # sport_itype - source port or ICMP type (or 0) # sport - source port (if UDP or TCP) # itype - ICMP type (if ICMP) # dport_icode - dest port or ICMP code (or 0) # dport - dest port # icode - ICMP code (if ICMP) # proto - protocol number # protoname - protocol name # flags - flags from UnifiedAlertRecord # msg - message text # hostname - hostname (from barnyard.conf) # interface - interface (from barnyard.conf) # # Examples: # output alert_csv: /var/log/snort/csv.out # output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode # output alert_csv: csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode # alert_syslog #----------------------------- # Converts data from the alert stream into an approximation of Snort's # syslog alert output plugin. Same arguments as the output plugin in snort. #output alert_syslog # alert_syslog2 #------------------------------- # Generates a syslog alert. This supports considerably more features than # the original syslog output plugin. # #output alert_syslog2 LOG_AUTH LOG_ALERT # log_pcap #----------------------------- # Converts data from the dp_log plugin into standard pcap format # Argument: output log_pcap # acid_db #------------------------------- # Available as both a log and alert output plugin. Used to output data into # the db schema used by ACID # Arguments: # $db_flavor - what flavor of database (ie, mysql) # sensor_id $sensor_id - integer sensor id to insert data as # database $database - name of the database # server $server - server the database is located on # user $user - username to connect to the database as # password $password - password for database authentication # output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root # output log_acid_db: mysql, database snort, server localhost, user root, detail full # sguil #---- # This output plug-in is used to generate output for use with the SGUIL user # interface. To learn more about SGUIL, go to http://sguil.sourceforge.net # #output sguil: mysql, sensor_id 0, database sguildb, server syn, user root,\ # password dbpasswd, sguild_host syn, sguild_port 7736