OK, I've tried two programs to parse my two snort log files. Cerebus and Barnyard. Cerebus gave me a nice interface but it would not save and I still could not make sense out of the logs. Barnyard just did not work. Can anyone make a suggestion on how I can weed out the false alarms and get to the dirty traffic? I'm using both unified logging processors.


--tarballedtux

I dislike Cerberus for the fact it's basically closed source. IMO it's crippleware. Barnyard I've had no probs with once I figured out what I wanted out of it. How did you (try to) use it?

#farmer.sh
#!/bin/sh
pigsty=<where the logs live>
/bin/ls $pigsty/snort-unified* | while read bacon; do
barnyard -o -d $pigsty <-c /etc/barnyard.conf -g /etc/gen-msg.map -s /etc/sid-msg.map> -f $bacon
done

#barnyard.conf example:
processor dp_alert
processor dp_log
processor dp_stream_stat
output alert_csv: </loc/>baked_bacon.csv timestamp,srcip,sport,dport,proto,classname,msg

OK I ran your script and made the custon barnyard.conf file but I still ran into errors and a few questions. Here's the output of the script working on two log files.

-*> Barnyard! <*-
Version 0.1.0-rc3 (Build 11)
By Andrew R. Baker (andrewb@snort.org)
and Martin Roesch (roesch@sourcefire.com, www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AlertCSV initialized
Parsing Config file: /etc/snort/barnyard.conf
WARNING: absolute path in -f <filename> is overriding -d <spool_dir> setting.
WARNING: spool_dir set to "/tmp/snort/"
Barnyard Version 0.1.0-rc3 (Build 11) started
ERROR => No input plugin found for magic: 5d2a2a5b
Fatal Error, Quitting..
Exiting

-*> Barnyard! <*-
Version 0.1.0-rc3 (Build 11)
By Andrew R. Baker (andrewb@snort.org)
and Martin Roesch (roesch@sourcefire.com, www.snort.org)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AlertCSV initialized
Parsing Config file: /etc/snort/barnyard.conf
WARNING: absolute path in -f <filename> is overriding -d <spool_dir> setting.
WARNING: spool_dir set to "/tmp/snort/"
Barnyard Version 0.1.0-rc3 (Build 11) started
ERROR => No input plugin found for magic: 322f3031
Fatal Error, Quitting..
Exiting

In the barnyard.cnf fiel you haev a line that says: output_alert csv

What does that do? If its a parsed file output where does it end up?

Nice script by the way.

--tarballedtux

ERROR => No input plugin found for magic: 322f3031
I found using an older version of Snort generates unified logging wrongly, the format gets updated once in a while, but you're using a current version so that's not the problem. Also logs that are too small to contain usefull data may fsck up Barnyard (< 75 bytes, IIRC), and from the Snort-users list archive, there's an explanation on the used magic.
There's another way to test if the unified log contained any info and that's using logtopcap to convert it to a parsable tcpdump. Now you can read it with Ethereal, tcpdump, tcpflow, snort etc etc.
If nothing works out, fire off a message on snort-users I'd say.

In the barnyard.cnf fiel you haev a line that says: output_alert csv
What does that do? If its a parsed file output where does it end up?
It's an output processor. RTM.

Nice script by the way.
Thanks, it's just a small part of my Snort log parsing. I try to squeeze as much out of the logs as I can.