[Discussion] Barnyard2

Fri Oct 3 13:32:50 UTC 2014

Sorry about that.  I saw this and thought I¹d start here:

https://www.openinfosecfoundation.org/index.php/component/content/article/1
-latest-news/125-oisf-to-support-barnyard2

I¹ll  move on to another list.

Thanks,

John.

On 10/3/14, 9:30 AM, "Victor Julien" <lists at inliniac.net> wrote:

>On 10/03/2014 03:27 PM, John Hally wrote:
>> Hi All,
>> 
>> I¹m trying to get snort and/or barnyard2 to send full alerts to a remote
>> syslog server for analysis with thinks like splunk, etc.  I think I may
>>have
>> found a bug in barnyard2, but I wanted to put it out to the list to see
>>if
>> anyone else is successful at this.  I¹m trying to send it to LOCAL3 so
>>that
>> I can parse off the logs into its own file in rsylog.conf.
>> 
>> No matter what I try, I will only get Œfast¹ alert data in
>>/var/log/messages
>> on my rsyslog server (not the local3.* entry as expected).   The
>> "operation_mode complete² switch is supposed to set the alerts to full
>> logging, but it doesn¹t work remote or locally.
>> 
>> In barnyard2 config:
>> 
>> output alert_syslog_full: sensor_name snortSensor, server x.x.x.x,
>>protocol
>> udp, port 514, operation_mode complete, log_priority LOG_ALERT,
>>log_facility
>> LOG_LOCAL3
>> 
>> /etc/rsylog.conf entry:
>> 
>> local3.*
>> /var/log/snortsyslog/snort.log
>> 
>> 
>> Output from messages after barnyard2 startup:
>> 
>> Oct 1 12:46:50 sensor barnyard2: Barnyard2 spooler: Event cache size
>>set to
>> [2048]
>> Oct 1 12:46:50 sensor barnyard2: Log directory = /var/log/snort
>> Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting
>> Reconnect/Transaction Error limit to 10
>> Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting Reconnect
>>sleep
>> time to 5 second
>> Oct 1 12:46:50 sensor barnyard2: using operation_mode: complete
>> Oct 1 12:46:50 sensor barnyard2: Using default delimiters for syslog
>> messages "|"
>> Oct 1 12:46:50 sensor barnyard2: Using default field separators for
>>syslog
>> messages " "
>> Oct 1 12:46:50 sensor barnyard2: spo_syslog_full config:
>> Oct 1 12:46:50 sensor barnyard2: #011Detail Level: Fast
>> Oct 1 12:46:50 sensor barnyard2: #011Syslog Server: x.x.x.x:514
>> Oct 1 12:46:50 sensor barnyard2: #011Reporting Protocol: udp
>> Oct 1 12:46:50 sensor barnyard2: Initializing daemon mode
>> Oct 1 12:46:50 sensor barnyard2: Daemon parent exiting
>> Oct 1 12:46:50 sensor barnyard2: Daemon initialized, signaled parent
>>pid:
>> 13339
>> Oct 1 12:46:50 sensor barnyard2: PID path stat checked out ok, PID path
>>set
>> to /var/run/
>> Oct 1 12:46:50 sensor barnyard2: Writing PID "13340" to file
>> "/var/run//barnyard2_eth1.pid"
>> 
>> 
>> Sample syslog entry:
>> 
>> Oct  1 11:59:51 sensor | [SNORTIDS[ALERT]: [sensor-eth1] ] || 2014-10-01
>> 11:59:54.967+-04 1 [1:1000022:1] LOCAL-RULE Possible login.aspx Brute
>>Force
>> Account Access || web-application-attack || 6 x.x.x.x y.y.y.y || 20175
>>80 ||
>> #012 |
>> 
>> 
>> The output in unified2/mysql is the full payload and you can see the
>>full
>> HTTP POST.
>> 
>> Am I missing something?
>
>As this list is about OISF/Suricata, I would suggest asking your
>question on the barnyard2 list, and/or on the snort users list. See:
>
>https://groups.google.com/forum/#!forum/barnyard2-users
>https://lists.sourceforge.net/lists/listinfo/snort-users
>
>-- 
>---------------------------------------------
>Victor Julien
>http://www.inliniac.net/
>PGP: http://www.inliniac.net/victorjulien.asc
>---------------------------------------------
>
>_______________________________________________
>Discussion mailing list
>Discussion at lists.openinfosecfoundation.org
>https://lists.openinfosecfoundation.org/mailman/listinfo/discussion