Home
Topics
Security Channel
Network security products, technologies, services
Unified output readers for Snort

Unified output readers for Snort

Probably the most popular unified output (or spool) readers is Barnyard. Barnyard hasn't been updated in several years, but it continues to work. The following built-in help reveals some of its capabilities.

Just as the Syngress Snort book is the definitive reference on unified output, the same books are authoritative for Barnyard. The purpose of this article is to show how the unified output can be transformed into something more analyst-friendly.

Barnyard supports a variety of output plugins. If you read my previous article, then many of these will be familiar:

alert_fast
log_dump
alert_csv
alert_syslog
alert_syslog2
log_pcap
alert_acid_db
log_acid_db
sguil

First I'll demonstrate all of these except the ACID and Sguil plugins. I create a barnyard.conf file with the following:

config hostname: cel433
config interface: dc0
config filter: 

output alert_fast: alert_fast.by
output log_dump: log_dump.by
output alert_csv: /tmp/so/by/alert_csv.by
output alert_syslog
output alert_syslog2
output log_pcap: log_pcap.by

Next I test how Barnyard will process snort.alert.TIMESTAMP in batch mode using Barnyard's -R switch.

That looks good to me.

Working with unified output

Introduction
Examining unified output
Unified output readers
Barnyard processing alerts
Barnyard processing logs
Barnyard working with databases

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

More News and Tutorials

Articles

Barnyard processing alerts for Snort

Getting Barnyard working with Snort databases

Understanding Snort's Unified2 output

Improving Snort performance with Barnyard

Barnyard processing logs for Snort

This was first published in July 2007

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

More from Related TechTarget Sites

Cloud Provider
Security
Networking
Storage
Cloud computing
Server Virtualization
Data Backup
Microscope

Cloud Provider
- News briefs: Google cloud services headline I/O, Compute Engine opens
  
  In these briefs, Google I/O delivers news about Google's cloud services, including a new database service and general availability of Compute Engine.
- How can you maximize the ROI for IPv6 training?
  
  Have a well-thought-out plan for IPv6 training before you start, says IPv6 expert Ciprian Popoviciu, and follow these tips after schooling begins.
- Is it more useful to jump into IPv6 testing or master IPv6 theory?
  
  Mastering the theory behind IPv6 and the act of IPv6 testing are both important, but one is more helpful long term, says cloud expert Chip Popoviciu.
Security
- Using EMET to harden Windows XP and other legacy applications
  
  Expert Michael Cobb details how using EMET, a free tool from Microsoft, can harden Windows XP and other legacy applications.
- Beyond privacy policies: Practical privacy for websites and mobile apps
  
  Posting a privacy policy is not enough. Here's practical advice for privacy on websites and mobile apps.
- Exploit kits evolved: How to defend against the latest attack toolkits
  
  Expert Nick Lewis details how automated exploit kits are evolving and offers mitigations for the latest methods employed by these attack toolkits.
Networking
- Troubleshooting network problems with good governance and design
  
  Packet loss, oversubscription, unpatched and inconsistent switch software still plague enterprise networks. Find out how engineers are fighting back.
- Networking blogs: Overlay Transport Virtualization, SDDC practicality
  
  In this week's networking roundup, bloggers advise how to use Overlay Transport Virtualization and discuss what's needed for a mature SDDC.
- Q&A: Why WLAN test tools should evolve quickly -- but likely won't
  
  Network consultant Peter Welcher talked to SearchNetworking about the evolution of WLAN test tools as more businesses look to wireless networks.
searchStorage
- Is there any popular software that allows me to share PCIe SSD cards?
  
  Learn the different methods to share PCIe SSD cards among multiple servers to improve performance and still keep costs down.
- Can object storage systems be used with file-based apps?
  
  Learn how to use applications such as Microsoft Exchange or SQL Server with object storage systems on the back end.
- How can host-based and array-based data replication techniques be compared?
  
  Learn the benefits and drawbacks to host-based and array-based replication methods to determine which one better suits your environment.
Cloud computing
- Google Compute Engine prices on par with AWS -- for now
  
  Conventional wisdom has Google and AWS locked in the Price War of the Titans with the launch of GCE, but a deeper look reveals a different truth.
- Limiting the effects of cloud computing outages
  
  After making the case for cloud based on high availability, IT pros are upset by cloud outages. With planning, there are ways to craft a strategy.
- Amazon Redshift an appealing alternative to on-premises data warehouse
  
  Amazon Redshift has intriguing pricing and features, but beware of its differences from a traditional, on-premises data warehouse.
Server Virtualization
- How can I enable automated VM resource provisioning?
  
  As with many other facets of virtualization, VM resource allocation is becoming automated. Find out what tools you can use for automated provisioning.
- Columbia Sportswear's move from virtualization to private cloud computing
  
  Columbia Sportswear parlayed server virtualization into a private cloud. Along the way, it found that its management tools needed serious rethinking.
- Power management a must for oVirt high availability
  
  Dodge dreaded downtime by enabling power management in your oVirt 3.1 environment.
searchDataBackup
- Enterprise backup software avoids storage sales slump
  
  While storage vendors reported slow sales at start of 2013, Symantec and CommVault had success with enterprise backup software.
- Disk can help with backup tape rotation strategy
  
  Backup expert George Crump explains how to use disk to get the most out of your backup tape rotation strategy.
- How cloud archiving services compare
  
  Backup expert George Crump discusses the issues involved in picking a cloud archiving service for your organization.
MicroscopeUK
- Security is too complex
  
  Nick Booth is all ears as Sophos explains to its partners that simplicity is key in the security market
- Ofcom stresses importance of decent broadband
  
  An Ofcom report into the availability of communications has stressed the point that UK firms will miss out if broadband speeds do not improve
- Apple Stores get the thumbs up from shoppers
  
  Apple has come top of the charts with high street shoppers according to the latest Which? survey of who is doing well in the retail market

All Rights Reserved,Copyright 2006 - 2013, TechTarget