[Discussion] Barnyard2

• Previous message (by thread): [Discussion] Barnyard2
• Next message (by thread): [Discussion] Barnyard2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/03/2014 03:27 PM, John Hally wrote:
> Hi All,
> 
> I’m trying to get snort and/or barnyard2 to send full alerts to a remote
> syslog server for analysis with thinks like splunk, etc.  I think I may have
> found a bug in barnyard2, but I wanted to put it out to the list to see if
> anyone else is successful at this.  I’m trying to send it to LOCAL3 so that
> I can parse off the logs into its own file in rsylog.conf.
> 
> No matter what I try, I will only get ‘fast’ alert data in /var/log/messages
> on my rsyslog server (not the local3.* entry as expected).   The
> "operation_mode complete” switch is supposed to set the alerts to full
> logging, but it doesn’t work remote or locally.
> 
> In barnyard2 config:
> 
> output alert_syslog_full: sensor_name snortSensor, server x.x.x.x, protocol
> udp, port 514, operation_mode complete, log_priority LOG_ALERT, log_facility
> LOG_LOCAL3
> 
> /etc/rsylog.conf entry:
> 
> local3.*
> /var/log/snortsyslog/snort.log
> 
> 
> Output from messages after barnyard2 startup:
> 
> Oct 1 12:46:50 sensor barnyard2: Barnyard2 spooler: Event cache size set to
> [2048]
> Oct 1 12:46:50 sensor barnyard2: Log directory = /var/log/snort
> Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting
> Reconnect/Transaction Error limit to 10
> Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting Reconnect sleep
> time to 5 second
> Oct 1 12:46:50 sensor barnyard2: using operation_mode: complete
> Oct 1 12:46:50 sensor barnyard2: Using default delimiters for syslog
> messages "|"
> Oct 1 12:46:50 sensor barnyard2: Using default field separators for syslog
> messages " "
> Oct 1 12:46:50 sensor barnyard2: spo_syslog_full config:
> Oct 1 12:46:50 sensor barnyard2: #011Detail Level: Fast
> Oct 1 12:46:50 sensor barnyard2: #011Syslog Server: x.x.x.x:514
> Oct 1 12:46:50 sensor barnyard2: #011Reporting Protocol: udp
> Oct 1 12:46:50 sensor barnyard2: Initializing daemon mode
> Oct 1 12:46:50 sensor barnyard2: Daemon parent exiting
> Oct 1 12:46:50 sensor barnyard2: Daemon initialized, signaled parent pid:
> 13339
> Oct 1 12:46:50 sensor barnyard2: PID path stat checked out ok, PID path set
> to /var/run/
> Oct 1 12:46:50 sensor barnyard2: Writing PID "13340" to file
> "/var/run//barnyard2_eth1.pid"
> 
> 
> Sample syslog entry:
> 
> Oct  1 11:59:51 sensor | [SNORTIDS[ALERT]: [sensor-eth1] ] || 2014-10-01
> 11:59:54.967+-04 1 [1:1000022:1] LOCAL-RULE Possible login.aspx Brute Force
> Account Access || web-application-attack || 6 x.x.x.x y.y.y.y || 20175 80 ||
> #012 |
> 
> 
> The output in unified2/mysql is the full payload and you can see the full
> HTTP POST.
> 
> Am I missing something?

As this list is about OISF/Suricata, I would suggest asking your
question on the barnyard2 list, and/or on the snort users list. See:

https://groups.google.com/forum/#!forum/barnyard2-users
https://lists.sourceforge.net/lists/listinfo/snort-users

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] Barnyard2
• Next message (by thread): [Discussion] Barnyard2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]