Home
Topics
Security Channel
Network security products, technologies, services
Barnyard processing logs for Snort

Snort IDS tips for VARs a

Barnyard processing logs for Snort

Even though Barnyard had six output plugins configured, only the alert plugins were active. Barnyard was processing a snort.alert.TIMESTAMP file, so the snort.log.TIMESTAMP file was ignored. Now we tell Barnyard to process that file.

Again we test Barnyard using the -R switch. I disabled all plugins but the two for processing log data.

Barnyard is ready to process the file.

cel433:/usr/local/snort-2.6.1.4# barnyard -c barnyard.conf -v -L /tmp/so/by -g gen-msg.map -s sid-msg.map -o /tmp/so/unified/snort.log.1180727255 Barnyard Version 0.2.0 (Build 32) Processing: /tmp/so/unified/snort.log.1180727255 Number of records: 1 Exiting

Two log records are created.

cel433:/tmp/so/by# ls -al | grep log
-rw-r--r--   1 root  wheel  1598 Jun  1 16:31 log_dump.by
-rw-r--r--   1 root  wheel   380 Jun  1 16:31 
log_pcap.by.2007-06-01@16-31-04

One is ASCII text and the other is Libpcap format.

cel433:/tmp/so/by# file log*
log_dump.by:                     ASCII text
log_pcap.by.2007-06-01@16-31-04: tcpdump capture file 
(little-endian) - version 2.4 (Ethernet, capture length 1514)

Here are the contents of log_dump.by, editing to conserve space.

The other file is in Libpcap format. Here I just show the header to conserve space.

As you can see, Barnyard can replicate the features found in the native Snort output modes.

Working with unified output

Introduction
Examining unified output
Unified output readers
Barnyard processing alerts
Barnyard processing logs
Barnyard working with databases

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

More News and Tutorials

Articles

Barnyard processing alerts for Snort

Unified output readers for Snort

Examining unified Snort output

Getting Barnyard working with Snort databases

Snort command line output modes

This was first published in July 2007

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

More from Related TechTarget Sites

Microscope
Cloud Provider
Security
Networking
Storage
Cloud computing
Server Virtualization
Data Backup

MicroscopeUK
- Tech firm ditches Rackspace hosting service for ‘lack of support’
  
  Cloud sales service company Price & Quote has ditched IT hosting provider Rackspace due to “lack of support and unresponsiveness”
- HotLink helps VARs address hypervisor management
  
  Latest Silicon Valley start-up touts award-winning multi-hypervisor and hybrid cloud management product as it sets up shop in Europe
- Adobe mulls over licensing changes
  
  Adobe's CEO has indicated that it is listening to customers concerns about license payment options and might make changes
Cloud Provider
- Providers find value in vendor-specific cloud certifications
  
  Vendor-specific cloud certifications let providers show their technological expertise in ways independent audits can't.
- News briefs: Red Hat OpenShift Online goes live; Lenovo pushes cloud
  
  This week, Red Hat's OpenShift Online rolls out for commercial use, Lenovo enters the cloud market and NTT deploys VMware network virtualization.
- Open source vs. proprietary cloud provider platforms
  
  The choice between an open source or proprietary cloud platform plagues cloud providers, as open source platforms mature and end-user needs evolve.
Security
- Users may remain vulnerable despite Oracle Java patch release
  
  Oracle has issued a new security patch for Java, but only 7% deployed the patch before it.
- Gary McGraw: NSA data collection programs demand discussion, scrutiny
  
  Opinion: Gary McGraw details the various and sundry NSA data collection programs and explains why all its efforts demand new discussion and scrutiny.
- Enterprise BYOD offers mixed bag for enterprise endpoint security
  
  A Gartner analyst says enterprise BYOD -- specifically iOS and Android devices -- presents many pros and cons for enterprise endpoint security.
Networking
- Marble Security's cloud-based mobile security service augments MDM
  
  Marble Security released its new cloud-based mobile security service that can work with MDM tools for protection of employee-owned mobile devices.
- New VMS feature enables big spines of Mellanox Ethernet ToR switches
  
  A new Layer 3-based Virtual Modular Switch feature on top-of-rack Ethernet switches from Mellanox enables large clusters for leaf-spine architecture.
- Can your existing tools juggle so many external services?
  
  You need to make sure you have the right tools to effectively monitor so many new externalized services. Expert Henry Svendblad shows you how.
searchStorage
- Imation upgrades Nexsan Assureon object-based storage archive
  
  Imation makes first product upgrade since acquiring Nexsan, delivering Assureon 7 for object-based storage archiving.
- Following Dell acquisitions, users find platform integration enticing
  
  Customers want to see the storage products Dell has gained through acquisitions better integrated with common management.
- Converged systems offer turnkey storage and server bundles
  
  Storage vendors are packaging their products with servers and networking gear to create ready-to-run converged systems. Could this be the end of best-of-breed deployments?
Cloud computing
- PaaS market heats up with Red Hat OpenShift, Savvis AppFog buy
  
  PaaS made headlines last week, but it's still difficult to gauge the true level of interest in Platform as a Service in the enterprise world.
- IBM, Salesforce deals usher in cloud consolidation era
  
  IBM's SoftLayer buy is getting mixed reviews from IT pros, but everyone agrees that it's an example of the consolidation phase of the cloud bubble.
- U.S. defense agencies' cloud transition yields better intelligence
  
  A cloud migration seems daunting but the effort is worthwhile; U.S. defense agencies say their cloud move led to better military intelligence.
Server Virtualization
- Moving VMs around? Avoid downtime with Hyper-V Live Storage Migration
  
  Live Storage Migration eliminates the downtime associated with moving VM files from one storage location to another and helps improve performance.
- RHEV proves to be a cost-effective alternative to vSphere
  
  Some IT departments have turned to low-cost, flexible virtualization platforms, such as Red Hat Enterprise Virtualization, to lower VMware costs.
- Guidelines for moving multiple VMs with Hyper-V Live Storage Migration
  
  Live Storage Migration makes it easy to move multiple storage files of running VMs without downtime, but there are practical limits you should know.
searchDataBackup
- Zetta improves DataProtect with WAN optimization
  
  Zetta adds WAN optimization to its DataProtect enterprise cloud backup and disaster recovery software.
- SMB data backup strategy must overcome data protection issues
  
  Jason Buffington discusses some of the major data protection issues an SMB must overcome in building their data backup strategy in this podcast.
- HP turns StoreOnce into virtual storage appliance
  
  Hewlett-Packard delivers virtual software appliance version of its StoreOnce deduplication technology and a scalable midrange tape library.

All Rights Reserved,Copyright 2006 - 2013, TechTarget