Re: Re[4]: [Snort-users] unified format

Actually, that's not true.  Snort will call the log func from inside
the alert func for any alert that has a packet. So, if the alerts you
are seeing  in the alert DB are from a plugin that doesn't pass a
pointer to the packet (like the old portscan preproc) then you won't
get the corresponding alert/packet info in your unified log.  There
are very few instances where this will happen, and any alert that is
triggered from a signature, will have a packet and thus the log func
will be called.

I wonder if this is a waldo file issue. If you originally ran barnyard
watching the unified alert file, then switched it to watching the
unifed log file that may have caused problems with barnyard.  Try
removing $SNORT_LOG/barnyard.waldo and then start barnyard with the
"-f snort.log". When you do this, run barnyard in the foreground send
a copy of the std out back here.

Bammkkkk

On 8/19/05, Roland Turner (SourceForge) <raz.fs.arg@xxxxxxxxxxxxxxxx> wrote:

> > When I use "-f snort.alert" - I get alert events in DB, but don't get
> > payload. When I use "-f snort.log" - I don't get alert events in DB.
> 
> 
> Ah, this may be the problem. If the rule action is "alert" then the data
> presented to the output plugins does not include the payload. There is no
> configuration of anything that can get around this, IIRC. You need to be
> setting the actions to "log" if you want the payload.
> 
> - Raz
> 

-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf