alert_unified2?

[Dave Hojo]

Am I right in thinking that when snort outputs to alert_unified2 that barnyard2 can't read that as an input?  What I'm trying to do is just report alerts without the packet info as required by my design.  When I try to specify alert_unified2 I get the following:

ERROR: /usr/local/stillsecure/snort/eth0/barnyard2.conf(5) Unknown input plugin: "alert_unified2"

When using the following output line, it still gathers the data from the snort.log and passes it to the DB:
output database: alert, mysql, dbname=...

If I specify alert_unified2 in snort.conf, barnyard appears to just not read the entries that hit snort.log.

Any help would be appreciated.

[beenph]

On Tue, Jun 18, 2013 at 8:25 PM, Dave Hojo <dhaj...@gmail.com> wrote:
> Am I right in thinking that when snort outputs to alert_unified2 that
> barnyard2 can't read that as an input? What I'm trying to do is just report
> alerts without the packet info as required by my design. When I try to
> specify alert_unified2 I get the following:
>

Hi Dave,

In snort use output unified2 (remove previous unified2 file created
with alert_unified2).

In barnyard2 use input unified2.

In snort there is three unified 2 output mode.

alert_unified2: will only output events but will not output matching packets
log_unified2: will only output packets but will not output matching event
unified2: will output event and packet

So with barnyard2 2-1.X you want to use input unified2.

Hope this helps,
-elz

[Dave Hajoglou]

Thanks for your fast reply :) 

Hi Dave,

In snort use output unified2 (remove previous unified2 file created
with alert_unified2).

In barnyard2 use input unified2.

In snort there is three unified 2 output mode.

alert_unified2: will only output events but will not output matching packets

So, I need to use alert_unified2 from snort.  I want only events, no packets.  Due to financial requirements, packet data cannot be stored in the database.

 

log_unified2: will only output packets but will not output matching event
unified2: will output event and packet

So with barnyard2 2-1.X you want to use input unified2.

Thus, does barnyard support a way to read alert_unified2 or, at the very least, only log the events to the DB, not the packets?  Right now it works perfectly with snort out=>u2 barnyard in=>u2.

Thanks,

-dave

[Dave Hojo]

Thus, does barnyard support a way to read alert_unified2 or, at the very least, only log the events to the DB, not the packets?  Right now it works perfectly with snort out=>u2 barnyard in=>u2.

I should clarify: Right now it works perfectly logging alert+packet with u2.  I have no issues with that mode of operation. I can't get alerts w/no packet to work.  Sorry if my last email was confusing.

Thanks,

-dave

[beenph]

Well right now its impossible to do at barnyard2 level unless you
comment out the payload logging section in the code
which is doable without mutch of an issue ( i could make a branch for you )

But in 2.2 we will support the 3 type of unified2 logging.

If you want me to create a branch that would crop the payload let me know.

-elz

[Dave Hajoglou]

No need to make a patch, but thanks for offering.  If need be I can patch the code to modify the DB inserts.  I'm not sure the urgency is there right now.  I was just wondering if there was a workaround with the config files.  I appreciate your help.

Thanks,

-dave

--

---
You received this message because you are subscribed to a topic in the Google Groups "barnyard2-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/barnyard2-users/f4sOeIx--BU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to barnyard2-use...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Dave Hojo]

Me again.  I'm going to bump up this thread.   As a recap, by2 doesn't support alert_unified2 yet (targeted by 2.2).  We are readdressing our requirements and started to tweak a few things as a work around.  Since we can't have any payload data even written to the disk by snort, the quick fix to just omit the payload insert at the barnyard2 level won't work.  I played around with snort thinking that I could just nullify the payload write by setting the length to 0, thus skipping the payload all together.  It seems that the inner/outer bit hoses that up where barnyard2 looks into the payload rather than just the IDS event data for header information.

So, I think we will just need to have the spo_alert_unified2 input plugin unless anyone can think of a way I can modify snort to omit the payload data and still get barnyard2 to read unified2 with neutered data.  As far as the alert_unified2 plugin, has anyone started it or is there anything that I should be concerned about before launching down that path myself?  It seems it'd be just a special case of spo_unified2.

If I need to start a new thread on this I can.  I figured I'd keep it here for ease of searching.

[beenph]

With a few modification to barnyard2 code you can make it work, you
only need to patch spo_database
so it works with events only and that it does not process expected
packet information, and you should be fine.

Hope this helps.

-elz

[Dave Hajoglou]

With a few modification to barnyard2 code you can make it work, you
only need to patch spo_database 

 

I'm in the process of redoing my patch with by 2.1.13 (we were on .10 and there are changes elsewhere I have to deal with with our option patch as well) so I'll try to get snort to skip the payload then hit spo_database. I can also work a bit on the spi_alert_unified2 as well.  Has anyone started that module for 2.2?