Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] acid - barnyard - payload

0 views
Skip to first unread message

Jochen Vogel

unread,
Oct 7, 2003, 9:36:16 AM10/7/03
to
hi,

i use snort -> barnyard -> mysql <-acid and want to show the payloads.

is use 2 barnyard scripts:
barnalert for the alert file
barnlog for the log file

if i run barnalert i get messages but no payload

if i run barnlog i get nothing

if i run both barnalert get SID1 and barnlog get SID2 but acid shows SID1
only without payload

if i run both and give barnlog SID1 i get an error message because duplicate
entries.

how can i show the payload?

thx for help
jo


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Jochen Vogel

unread,
Oct 8, 2003, 9:35:21 AM10/8/03
to
hi,

i recreated the snortDB.
barnlog didn=B4t read the sid and create the sid2.

this is my barnyard.conf
#config localtime
config hostname: sensor2
config interface: x
config filter: x

processor dp_alert
processor dp_log
processor dp_stream_stat

#output alert_fast
#output log_dump
#output alert_syslog
#output log_pcap
output alert_acid_db: mysql, database snort, server localhost, user =
sensor
output log_acid_db: mysql, database snort, server localhost, user =
sensor,
detail full

------------------------------------------------
/etc/init.d/barnalert=20
Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AcidDb output plugin initialized
AlertCSV initialized
Parsing Config file: /opt/sentinel/sensor/conf/barnyard.conf
Args: mysql, database snort, server localhost, user sensor
Args: mysql, database snort, server localhost, user sensor, detail full
Barnyard Version 0.1.0 (Build 17) started
AcidDbOpStart
sensor_id =3D=3D 1
OpAcidDB configuration details
Database Flavour: mysql
Detail Level: Fast
Database Server: localhost
Database User: sensor
SensorID: 1
AcidDbOpStart Complete
Exiting
AcidDbOpStop

------------------------------------------------------=20
Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AcidDb output plugin initialized
AlertCSV initialized
Parsing Config file: /opt/sentinel/sensor/conf/barnyard.conf
Args: mysql, database snort, server localhost, user sensor
Args: mysql, database snort, server localhost, user sensor, detail full
Barnyard Version 0.1.0 (Build 17) started
AcidDbOpStart
sensor_id =3D=3D 2
OpAcidDB configuration details
Database Flavour: mysql
Detail Level: Full
Database Server: localhost
Database User: sensor
SensorID: 2
AcidDbOpStart Complete
Exiting
AcidDbOpStop

------------------------------------------------------
mysql -e "select * from sensor" snort
+-----+----------+-----------+--------+--------+----------+----------+
| sid | hostname | interface | filter | detail | encoding | last_cid |
+-----+----------+-----------+--------+--------+----------+----------+
| 1 | sensor2 | x | x | 0 | 0 | 0 |
| 2 | sensor2 | x | x | 1 | 0 | 0 |
+-----+----------+-----------+--------+--------+----------+----------+


> -----Urspr=FCngliche Nachricht-----
> Von: Jochen Vogel [mailto:jvo...@it-sec.de]
> Gesendet: Dienstag, 7. Oktober 2003 14:49
> An: snort...@lists.sourceforge.net
> Betreff: [Snort-users] acid - barnyard - payload
>=20
>=20
> hi,
>=20
> i use snort -> barnyard -> mysql <-acid and want to show the =
payloads.
>=20


> is use 2 barnyard scripts:
> barnalert for the alert file
> barnlog for the log file

>=20


> if i run barnalert i get messages but no payload

>=20


> if i run barnlog i get nothing

>=20
> if i run both barnalert get SID1 and barnlog get SID2 but=20


> acid shows SID1
> only without payload

>=20
> if i run both and give barnlog SID1 i get an error message=20
> because duplicate
> entries.
>=20


> how can i show the payload?

>=20
> thx for help
> jo
>=20
>=20


> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:

> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
>=20

Jochen Vogel

unread,
Oct 9, 2003, 9:14:16 AM10/9/03
to
ok another try,

i created 2 barnyard scipts:
-barnalert for the alerts
-barnlog vor the logs

both sensors are registered


+-----+----------+-----------+--------+--------+----------+----------+
| sid | hostname | interface | filter | detail | encoding | last_cid |
+-----+----------+-----------+--------+--------+----------+----------+

| 3 | alert | x | x | 0 | 0 | 0 |
| 4 | log | x | x | 1 | 0 | 0 |
+-----+----------+-----------+--------+--------+----------+----------+

for both sensors events exists
+-----+-----+-----------+---------------------+
| sid | cid | signature | timestamp |
+-----+-----+-----------+---------------------+
| 3 | 972 | 5 | 2003-10-09 13:17:24 |
| 4 | 972 | 5 | 2003-10-09 13:17:24 |
| 3 | 971 | 5 | 2003-10-09 13:17:22 |
| 4 | 971 | 5 | 2003-10-09 13:17:22 |
| 3 | 970 | 5 | 2003-10-09 13:17:21 |
| 4 | 970 | 5 | 2003-10-09 13:17:21 |
| 3 | 969 | 13 | 2003-10-09 13:17:20 |
| 3 | 968 | 5 | 2003-10-09 13:17:20 |
| 4 | 969 | 13 | 2003-10-09 13:17:20 |
| 4 | 968 | 5 | 2003-10-09 13:17:20 |
+-----+-----+-----------+---------------------+

acid shows only sid3 alert.

whats the problem?

thx for help
jo


> -----Urspr=FCngliche Nachricht-----
> Von: Jochen Vogel [mailto:jvo...@it-sec.de]

> Gesendet: Mittwoch, 8. Oktober 2003 14:37
> An: 'snort...@lists.sourceforge.net'
> Betreff: AW: [Snort-users] acid - barnyard - payload
>=20
>=20
> hi,
>=20


> i recreated the snortDB.
> barnlog didn=B4t read the sid and create the sid2.

>=20


> this is my barnyard.conf
> #config localtime
> config hostname: sensor2
> config interface: x
> config filter: x

>=20


> processor dp_alert
> processor dp_log
> processor dp_stream_stat

>=20


> #output alert_fast
> #output log_dump
> #output alert_syslog
> #output log_pcap

> output alert_acid_db: mysql, database snort, server=20
> localhost, user sensor
> output log_acid_db: mysql, database snort, server localhost,=20
> user sensor,
> detail full
>=20


> ------------------------------------------------
> /etc/init.d/barnalert=20
> Loading Data Processors...
> dp_alert loaded
> dp_log loaded
> dp_stream_stat loaded
> Loading Built-in Output Plugins...
> Fast Alert plugin initialized
> AlertSyslog initialized
> Log Dump plugin initialized
> LogPcap initialized
> AcidDb output plugin initialized
> AlertCSV initialized
> Parsing Config file: /opt/sentinel/sensor/conf/barnyard.conf
> Args: mysql, database snort, server localhost, user sensor

> Args: mysql, database snort, server localhost, user sensor,=20


> detail full
> Barnyard Version 0.1.0 (Build 17) started
> AcidDbOpStart
> sensor_id =3D=3D 1
> OpAcidDB configuration details
> Database Flavour: mysql
> Detail Level: Fast
> Database Server: localhost
> Database User: sensor
> SensorID: 1
> AcidDbOpStart Complete
> Exiting
> AcidDbOpStop

>=20


> ------------------------------------------------------=20
> Loading Data Processors...
> dp_alert loaded
> dp_log loaded
> dp_stream_stat loaded
> Loading Built-in Output Plugins...
> Fast Alert plugin initialized
> AlertSyslog initialized
> Log Dump plugin initialized
> LogPcap initialized
> AcidDb output plugin initialized
> AlertCSV initialized
> Parsing Config file: /opt/sentinel/sensor/conf/barnyard.conf
> Args: mysql, database snort, server localhost, user sensor

> Args: mysql, database snort, server localhost, user sensor,=20


> detail full
> Barnyard Version 0.1.0 (Build 17) started
> AcidDbOpStart
> sensor_id =3D=3D 2
> OpAcidDB configuration details
> Database Flavour: mysql
> Detail Level: Full
> Database Server: localhost
> Database User: sensor
> SensorID: 2
> AcidDbOpStart Complete
> Exiting
> AcidDbOpStop

>=20


> ------------------------------------------------------
> mysql -e "select * from sensor" snort

> =
+-----+----------+-----------+--------+--------+----------+----------+
> | sid | hostname | interface | filter | detail | encoding | last_cid =
|
> =
+-----+----------+-----------+--------+--------+----------+----------+
> | 1 | sensor2 | x | x | 0 | 0 | 0 =
|
> | 2 | sensor2 | x | x | 1 | 0 | 0 =
|
> =
+-----+----------+-----------+--------+--------+----------+----------+
>=20
>=20


> > -----Urspr=FCngliche Nachricht-----
> > Von: Jochen Vogel [mailto:jvo...@it-sec.de]
> > Gesendet: Dienstag, 7. Oktober 2003 14:49
> > An: snort...@lists.sourceforge.net
> > Betreff: [Snort-users] acid - barnyard - payload
> >=20
> >=20
> > hi,
> >=20

> > i use snort -> barnyard -> mysql <-acid and want to show=20
> the payloads.


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php

Jochen Vogel

unread,
Oct 13, 2003, 5:37:11 AM10/13/03
to
how can i show the payload in acid if i use barnyard?

> -----Urspr=FCngliche Nachricht-----
> Von: Jochen Vogel [mailto:jvo...@it-sec.de]

> Gesendet: Donnerstag, 9. Oktober 2003 13:27


> An: 'snort...@lists.sourceforge.net'
> Betreff: AW: [Snort-users] acid - barnyard - payload
>=20
>=20

> ok another try,
>=20


> i created 2 barnyard scipts:
> -barnalert for the alerts
> -barnlog vor the logs

>=20
> both sensors are registered


> =
+-----+----------+-----------+--------+--------+----------+----------+
> | sid | hostname | interface | filter | detail | encoding | last_cid =
|
> =
+-----+----------+-----------+--------+--------+----------+----------+

> | 3 | alert | x | x | 0 | 0 | 0 =
|
> | 4 | log | x | x | 1 | 0 | 0 =
|
> =
+-----+----------+-----------+--------+--------+----------+----------+
>=20


> for both sensors events exists
> +-----+-----+-----------+---------------------+
> | sid | cid | signature | timestamp |
> +-----+-----+-----------+---------------------+
> | 3 | 972 | 5 | 2003-10-09 13:17:24 |
> | 4 | 972 | 5 | 2003-10-09 13:17:24 |
> | 3 | 971 | 5 | 2003-10-09 13:17:22 |
> | 4 | 971 | 5 | 2003-10-09 13:17:22 |
> | 3 | 970 | 5 | 2003-10-09 13:17:21 |
> | 4 | 970 | 5 | 2003-10-09 13:17:21 |
> | 3 | 969 | 13 | 2003-10-09 13:17:20 |
> | 3 | 968 | 5 | 2003-10-09 13:17:20 |
> | 4 | 969 | 13 | 2003-10-09 13:17:20 |
> | 4 | 968 | 5 | 2003-10-09 13:17:20 |
> +-----+-----+-----------+---------------------+

>=20


> acid shows only sid3 alert.

>=20
> whats the problem?


>=20
> thx for help
> jo
>=20
>=20

>=20
>=20
> > -----Urspr=FCngliche Nachricht-----
> > Von: Jochen Vogel [mailto:jvo...@it-sec.de]

> >=20
> =
+-----+----------+-----------+--------+--------+----------+----------+
> > | sid | hostname | interface | filter | detail | encoding |=20
> last_cid |
> >=20
> =
+-----+----------+-----------+--------+--------+----------+----------+
> > | 1 | sensor2 | x | x | 0 | 0 |=20
> 0 |
> > | 2 | sensor2 | x | x | 1 | 0 |=20
> 0 |
> >=20

>=20

0 new messages