Snort IDS tips for VARs a

Unified output readers for Snort

Probably the most popular unified output (or spool) readers is Barnyard. Barnyard hasn't been updated in several years, but it continues to work. The following built-in help reveals some of its capabilities.

Just as the Syngress Snort book is the definitive reference on unified output, the same books are authoritative for Barnyard. The purpose of this article is to show how the unified output can be transformed into something more analyst-friendly.

Barnyard supports a variety of output plugins. If you read my previous article, then many of these will be familiar:

  • alert_fast
  • log_dump
  • alert_csv
  • alert_syslog
  • alert_syslog2
  • log_pcap
  • alert_acid_db
  • log_acid_db
  • sguil

First I'll demonstrate all of these except the ACID and Sguil plugins. I create a barnyard.conf file with the following:

config hostname: cel433
config interface: dc0
config filter: 

output alert_fast:
output log_dump:
output alert_csv: /tmp/so/by/
output alert_syslog
output alert_syslog2
output log_pcap:

Next I test how Barnyard will process snort.alert.TIMESTAMP in batch mode using Barnyard's -R switch.

That looks good to me.

Working with unified output

 Examining unified output
 Unified output readers
 Barnyard processing alerts
 Barnyard processing logs
 Barnyard working with databases

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

This was first published in July 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: