[Discussion] Barnyard2

• Next message (by thread): [Discussion] Barnyard2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi All,

I’m trying to get snort and/or barnyard2 to send full alerts to a remote
syslog server for analysis with thinks like splunk, etc.  I think I may have
found a bug in barnyard2, but I wanted to put it out to the list to see if
anyone else is successful at this.  I’m trying to send it to LOCAL3 so that
I can parse off the logs into its own file in rsylog.conf.

No matter what I try, I will only get ‘fast’ alert data in /var/log/messages
on my rsyslog server (not the local3.* entry as expected).   The
"operation_mode complete” switch is supposed to set the alerts to full
logging, but it doesn’t work remote or locally.

In barnyard2 config:

output alert_syslog_full: sensor_name snortSensor, server x.x.x.x, protocol
udp, port 514, operation_mode complete, log_priority LOG_ALERT, log_facility
LOG_LOCAL3

/etc/rsylog.conf entry:

local3.*
/var/log/snortsyslog/snort.log


Output from messages after barnyard2 startup:

Oct 1 12:46:50 sensor barnyard2: Barnyard2 spooler: Event cache size set to
[2048]
Oct 1 12:46:50 sensor barnyard2: Log directory = /var/log/snort
Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting
Reconnect/Transaction Error limit to 10
Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting Reconnect sleep
time to 5 second
Oct 1 12:46:50 sensor barnyard2: using operation_mode: complete
Oct 1 12:46:50 sensor barnyard2: Using default delimiters for syslog
messages "|"
Oct 1 12:46:50 sensor barnyard2: Using default field separators for syslog
messages " "
Oct 1 12:46:50 sensor barnyard2: spo_syslog_full config:
Oct 1 12:46:50 sensor barnyard2: #011Detail Level: Fast
Oct 1 12:46:50 sensor barnyard2: #011Syslog Server: x.x.x.x:514
Oct 1 12:46:50 sensor barnyard2: #011Reporting Protocol: udp
Oct 1 12:46:50 sensor barnyard2: Initializing daemon mode
Oct 1 12:46:50 sensor barnyard2: Daemon parent exiting
Oct 1 12:46:50 sensor barnyard2: Daemon initialized, signaled parent pid:
13339
Oct 1 12:46:50 sensor barnyard2: PID path stat checked out ok, PID path set
to /var/run/
Oct 1 12:46:50 sensor barnyard2: Writing PID "13340" to file
"/var/run//barnyard2_eth1.pid"


Sample syslog entry:

Oct  1 11:59:51 sensor | [SNORTIDS[ALERT]: [sensor-eth1] ] || 2014-10-01
11:59:54.967+-04 1 [1:1000022:1] LOCAL-RULE Possible login.aspx Brute Force
Account Access || web-application-attack || 6 x.x.x.x y.y.y.y || 20175 80 ||
#012 |


The output in unified2/mysql is the full payload and you can see the full
HTTP POST.

Am I missing something?

Thanks in advance,

John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20141003/ef8e467c/attachment.html>

• Next message (by thread): [Discussion] Barnyard2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]