Reading Unified Logged Data
Problem
You want to process your unified output files.
Solution
Download Barnyard from http://www.snort.org/dl and then install it with the following commands:
[root@localhost root]# tar zxvf barnyard-0.2.0.tar.gz [root@localhost barnyard-0.2.0]# cd barnyard-0.2.0 [root@localhost barnyard-0.2.0]# ./configure [root@localhost barnyard-0.2.0]# make [root@localhost barnyard-0.2.0]# make install
If you already have Snort configured to output unified logs, you can test Barnyard with the following:
[root@localhost root]# barnyard -o /var/log/snort/*
This creates the human-readable dump.log and fast.alert files in your current directory.
Discussion
Barnyard processes unified and binary Snort output files. By offloading the log processing to a tool like Barnyard, Snort can concentrate on what it does best: capturing network traffic and detecting intrusions. Barnyard has several output plug-ins. Some mimic the functionality already built into Snort, such as fast alerts, ASCII packet dumps, syslog, and pcap. It also offers new plug-ins such as CSV output, advanced syslog output, ACID, and SQUIL support. Barnyard also has database support, such as MySQL. However, it must be installed with the appropriate configure switch, such as --enable-mysql, to enable this support. This allows Barnyard to process unified output files and log the data to a database.
If you do not have all the necessary configuration files in their default locations, you may have to run the command with more parameters, such as in the following:
[root@localhost root]# barnyard -c /root/barnyard-0.2.0/etc/barnyard.conf -o /var/log/snort/* -s /root/snort-2.2.x/etc/sid-msg.map -g /root/snort-2.2.x/etc/gen-msg.map -p /root/snort-2.2.x/etc/classification.config
See Also
Recipe 2.17
Recipe 2.11
Generating Real Time Alerts
|