Next I run Barnyard, replacing the -R switch with the -v switch to enable verbose operation.
<![CDATA[
cel433:/usr/local/snort-2.6.1.4# barnyard -c barnyard.conf
-v -L /tmp/so/by -g gen-msg.map -s sid-msg.map -o
/tmp/so/unified/snort.alert.1180727255
Barnyard Version 0.2.0 (Build 32)
Parsing alert_syslog2 arguments: (null)
Processing: /tmp/so/unified/snort.alert.1180727255
Number of records: 1
Exiting
]]>
We now have two new files in the /tmp/so/by directory.
<![CDATA[
cel433:/tmp/so/by# ls -al
total 8
drwxr-xr-x 2 root wheel 512 Jun 1 16:14 .
drwxr-xr-x 12 root wheel 512 Jun 1 16:09 ..
-rw-r--r-- 1 root wheel 68 Jun 1 16:14 alert_csv.by
-rw-r--r-- 1 root wheel 260 Jun 1 16:14 alert_fast.by
]]>
The first has CSV output, and the second has FAST output.
A check of /var/log/auth.log shows a Syslog record generated by the alert_syslog directive.
Syslog2 is recommended if you wish to enable Syslog reporting. Where is the alert from Syslog2? It turns out
Syslog2 ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurityChannel.com
requires enabling some options like the following.
Second, the Syslog daemon must be configured to accept Syslog messages from machines other than localhost. This
may sound odd, but Syslog2 doesn't use the native Syslog mechanism on the host. Therefore, if you are running syslogd
with the -s switch (for example, the default on FreeBSD), you need to restart syslogd without the -d switch.
Running Barnyard again will produce an alert now.
Notice this alert in /var/log/messages has a different timestamp:
Here the timestamp is the timestamp of the packet in UTC format, not the time at which the alert was processed by
Barnyard.
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.
