[Discussion] Barnyard2

Fri Oct 3 14:00:00 UTC 2014

On 10/03/2014 03:32 PM, John Hally wrote:
> Sorry about that.  I saw this and thought I¹d start here:
> 
> https://www.openinfosecfoundation.org/index.php/component/content/article/1
> -latest-news/125-oisf-to-support-barnyard2

Ah ya, OISF supported some specific features in by2 at the time. It
remained it's own project though :)

Cheers,
Victor

> 
> 
> I¹ll  move on to another list.
> 
> Thanks,
> 
> John.
> 
> On 10/3/14, 9:30 AM, "Victor Julien" <lists at inliniac.net> wrote:
> 
>> On 10/03/2014 03:27 PM, John Hally wrote:
>>> Hi All,
>>>
>>> I¹m trying to get snort and/or barnyard2 to send full alerts to a remote
>>> syslog server for analysis with thinks like splunk, etc.  I think I may
>>> have
>>> found a bug in barnyard2, but I wanted to put it out to the list to see
>>> if
>>> anyone else is successful at this.  I¹m trying to send it to LOCAL3 so
>>> that
>>> I can parse off the logs into its own file in rsylog.conf.
>>>
>>> No matter what I try, I will only get Œfast¹ alert data in
>>> /var/log/messages
>>> on my rsyslog server (not the local3.* entry as expected).   The
>>> "operation_mode complete² switch is supposed to set the alerts to full
>>> logging, but it doesn¹t work remote or locally.
>>>
>>> In barnyard2 config:
>>>
>>> output alert_syslog_full: sensor_name snortSensor, server x.x.x.x,
>>> protocol
>>> udp, port 514, operation_mode complete, log_priority LOG_ALERT,
>>> log_facility
>>> LOG_LOCAL3
>>>
>>> /etc/rsylog.conf entry:
>>>
>>> local3.*
>>> /var/log/snortsyslog/snort.log
>>>
>>>
>>> Output from messages after barnyard2 startup:
>>>
>>> Oct 1 12:46:50 sensor barnyard2: Barnyard2 spooler: Event cache size
>>> set to
>>> [2048]
>>> Oct 1 12:46:50 sensor barnyard2: Log directory = /var/log/snort
>>> Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting
>>> Reconnect/Transaction Error limit to 10
>>> Oct 1 12:46:50 sensor barnyard2: INFO database: Defaulting Reconnect
>>> sleep
>>> time to 5 second
>>> Oct 1 12:46:50 sensor barnyard2: using operation_mode: complete
>>> Oct 1 12:46:50 sensor barnyard2: Using default delimiters for syslog
>>> messages "|"
>>> Oct 1 12:46:50 sensor barnyard2: Using default field separators for
>>> syslog
>>> messages " "
>>> Oct 1 12:46:50 sensor barnyard2: spo_syslog_full config:
>>> Oct 1 12:46:50 sensor barnyard2: #011Detail Level: Fast
>>> Oct 1 12:46:50 sensor barnyard2: #011Syslog Server: x.x.x.x:514
>>> Oct 1 12:46:50 sensor barnyard2: #011Reporting Protocol: udp
>>> Oct 1 12:46:50 sensor barnyard2: Initializing daemon mode
>>> Oct 1 12:46:50 sensor barnyard2: Daemon parent exiting
>>> Oct 1 12:46:50 sensor barnyard2: Daemon initialized, signaled parent
>>> pid:
>>> 13339
>>> Oct 1 12:46:50 sensor barnyard2: PID path stat checked out ok, PID path
>>> set
>>> to /var/run/
>>> Oct 1 12:46:50 sensor barnyard2: Writing PID "13340" to file
>>> "/var/run//barnyard2_eth1.pid"
>>>
>>>
>>> Sample syslog entry:
>>>
>>> Oct  1 11:59:51 sensor | [SNORTIDS[ALERT]: [sensor-eth1] ] || 2014-10-01
>>> 11:59:54.967+-04 1 [1:1000022:1] LOCAL-RULE Possible login.aspx Brute
>>> Force
>>> Account Access || web-application-attack || 6 x.x.x.x y.y.y.y || 20175
>>> 80 ||
>>> #012 |
>>>
>>>
>>> The output in unified2/mysql is the full payload and you can see the
>>> full
>>> HTTP POST.
>>>
>>> Am I missing something?
>>
>> As this list is about OISF/Suricata, I would suggest asking your
>> question on the barnyard2 list, and/or on the snort users list. See:
>>
>> https://groups.google.com/forum/#!forum/barnyard2-users
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>
>> -- 
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Discussion mailing list
>> Discussion at lists.openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> 

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------