|
Parsing Snort 1.9.0 logs
OK, I've tried two programs to parse my two snort log files. Cerebus and Barnyard. Cerebus gave me a nice interface but it would not save and I still could not make sense out of the logs. Barnyard just did not work. Can anyone make a suggestion on how I can weed out the false alarms and get to the dirty traffic? I'm using both unified logging processors.
--tarballedtux |
I dislike Cerberus for the fact it's basically closed source. IMO it's crippleware. Barnyard I've had no probs with once I figured out what I wanted out of it. How did you (try to) use it?
#farmer.sh #!/bin/sh pigsty=<where the logs live> /bin/ls $pigsty/snort-unified* | while read bacon; do barnyard -o -d $pigsty <-c /etc/barnyard.conf -g /etc/gen-msg.map -s /etc/sid-msg.map> -f $bacon done #barnyard.conf example: processor dp_alert processor dp_log processor dp_stream_stat output alert_csv: </loc/>baked_bacon.csv timestamp,srcip,sport,dport,proto,classname,msg |
OK I ran your script and made the custon barnyard.conf file but I still ran into errors and a few questions. Here's the output of the script working on two log files.
-*> Barnyard! <*- Version 0.1.0-rc3 (Build 11) By Andrew R. Baker (andrewb@snort.org) and Martin Roesch (roesch@sourcefire.com, www.snort.org) Loading Data Processors... dp_alert loaded dp_log loaded dp_stream_stat loaded Loading Built-in Output Plugins... Fast Alert plugin initialized AlertSyslog initialized Log Dump plugin initialized LogPcap initialized AlertCSV initialized Parsing Config file: /etc/snort/barnyard.conf WARNING: absolute path in -f <filename> is overriding -d <spool_dir> setting. WARNING: spool_dir set to "/tmp/snort/" Barnyard Version 0.1.0-rc3 (Build 11) started ERROR => No input plugin found for magic: 5d2a2a5b Fatal Error, Quitting.. Exiting -*> Barnyard! <*- Version 0.1.0-rc3 (Build 11) By Andrew R. Baker (andrewb@snort.org) and Martin Roesch (roesch@sourcefire.com, www.snort.org) Loading Data Processors... dp_alert loaded dp_log loaded dp_stream_stat loaded Loading Built-in Output Plugins... Fast Alert plugin initialized AlertSyslog initialized Log Dump plugin initialized LogPcap initialized AlertCSV initialized Parsing Config file: /etc/snort/barnyard.conf WARNING: absolute path in -f <filename> is overriding -d <spool_dir> setting. WARNING: spool_dir set to "/tmp/snort/" Barnyard Version 0.1.0-rc3 (Build 11) started ERROR => No input plugin found for magic: 322f3031 Fatal Error, Quitting.. Exiting In the barnyard.cnf fiel you haev a line that says: output_alert csv What does that do? If its a parsed file output where does it end up? Nice script by the way. --tarballedtux |
ERROR => No input plugin found for magic: 322f3031
I found using an older version of Snort generates unified logging wrongly, the format gets updated once in a while, but you're using a current version so that's not the problem. Also logs that are too small to contain usefull data may fsck up Barnyard (< 75 bytes, IIRC), and from the Snort-users list archive, there's an explanation on the used magic. There's another way to test if the unified log contained any info and that's using logtopcap to convert it to a parsable tcpdump. Now you can read it with Ethereal, tcpdump, tcpflow, snort etc etc. If nothing works out, fire off a message on snort-users I'd say. In the barnyard.cnf fiel you haev a line that says: output_alert csv What does that do? If its a parsed file output where does it end up? It's an output processor. RTM. Nice script by the way. Thanks, it's just a small part of my Snort log parsing. I try to squeeze as much out of the logs as I can. |
| All times are GMT -5. The time now is 09:32 AM. |