[Discussion] Barnyard2
John Hally
JHally at EBSCO.COM
Fri Oct 3 13:27:56 UTC 2014
Hi All,
I’m trying to get snort and/or barnyard2 to send full alerts to a remote
syslog server for analysis with thinks like splunk, etc. I think I may have
found a bug in barnyard2, but I wanted to put it out to the list to see if
anyone else is successful at this. I’m trying to send it to LOCAL3 so that
I can parse off the logs into its own file in rsylog.conf.
No matter what I try, I will only get ‘fast’ alert data in /var/log/messages
on my rsyslog server (not the local3.* entry as expected). The
"operation_mode complete” switch is supposed to set the alerts to full
logging, but it doesn’t work remote or locally.
In barnyard2 config:
output alert_syslog_full: sensor_name snortSensor, server x.x.x.x, protocol
udp, port 514, operation_mode complete, log_priority LOG_ALERT, log_facility
LOG_LOCAL3
/etc/rsylog.conf entry:
local3.*
/var/log/snortsyslog/snort.log
Output from messages after barnyard2 startup:
Oct 1 12:46:50 sensor barnyard2: Barnyard2 spooler: Event cache size set to
[2048]
Oct 1 12:46:50 sensor barnyard2: Log directory = /var/log/snort
Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting
Reconnect/Transaction Error limit to 10
Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting Reconnect sleep
time to 5 second
Oct 1 12:46:50 sensor barnyard2: using operation_mode: complete
Oct 1 12:46:50 sensor barnyard2: Using default delimiters for syslog
messages "|"
Oct 1 12:46:50 sensor barnyard2: Using default field separators for syslog
messages " "
Oct 1 12:46:50 sensor barnyard2: spo_syslog_full config:
Oct 1 12:46:50 sensor barnyard2: #011Detail Level: Fast
Oct 1 12:46:50 sensor barnyard2: #011Syslog Server: x.x.x.x:514
Oct 1 12:46:50 sensor barnyard2: #011Reporting Protocol: udp
Oct 1 12:46:50 sensor barnyard2: Initializing daemon mode
Oct 1 12:46:50 sensor barnyard2: Daemon parent exiting
Oct 1 12:46:50 sensor barnyard2: Daemon initialized, signaled parent pid:
13339
Oct 1 12:46:50 sensor barnyard2: PID path stat checked out ok, PID path set
to /var/run/
Oct 1 12:46:50 sensor barnyard2: Writing PID "13340" to file
"/var/run//barnyard2_eth1.pid"
Sample syslog entry:
Oct 1 11:59:51 sensor | [SNORTIDS[ALERT]: [sensor-eth1] ] || 2014-10-01
11:59:54.967+-04 1 [1:1000022:1] LOCAL-RULE Possible login.aspx Brute Force
Account Access || web-application-attack || 6 x.x.x.x y.y.y.y || 20175 80 ||
#012 |
The output in unified2/mysql is the full payload and you can see the full
HTTP POST.
Am I missing something?
Thanks in advance,
John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20141003/ef8e467c/attachment.html>
More information about the Discussion
mailing list