--- etc/barnyard.conf.orig Sat May 1 11:43:29 2004 +++ etc/barnyard.conf Mon Jan 15 15:16:57 2007 @@ -1,139 +1,22 @@ #------------------------------------------------------------- -# http://www.snort.org Barnyard 0.1.0 configuration file +# http://www.snort.org Barnyard 0.2.0 configuration file # Contact: snort-barnyard@lists.sourceforge.net #------------------------------------------------------------- # $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $ ######################################################## -# Currently you want to do two things in here: turn on -# available data processors and turn on output plugins. -# The data processors (dp's) and output plugin's (op's) -# automatically associate with each other by type and -# are automatically selected at run time depending on -# the type of file you try to load. +# This config is to be used ONLY for barnyard-sguil6 and +# will not work for other uses of barnyard such as base +# because it is missing many of the configuration options +# that are required for other uses. The requirements for +# barnyard use with sguil 0.6.0 and above are minimal. ######################################################## # Step 1: configuration declarations -# To keep from having a commandline that uses every letter in the alphabet -# most configuration options are set here - -# enable daemon mode -# config daemon - # use localtime instead of UTC (*not* recommended because of timewarps) -#config localtime - -# set the hostname (currently only used for the acid db output plugin) -config hostname: snorthost - -# set the interface name (currently only used for the acid db output plugin) -config interface: fxp0 - -# set the filter (currently only used for the acid db output plugin) -config filter: not port 22 - -# Step 2: setup the output plugins - -# alert_fast -#----------------------------- -# Converts data from the dp_alert plugin into an approximation of Snort's -# "fast alert" mode. Argument: - -output alert_fast - -# log_dump -#----------------------------- -# Converts data from the dp_log plugin into an approximation of Snort's -# "ASCII packet dump" mode. Argument: - -output log_dump - -# alert_csv (experimental) -#--------------------------- -# Creates a CSV output file of alerts (optionally using a user specified format) -# Arguments: filepath [format] -# -# The format is a comma-seperated list of fields to output (no spaces allowed) -# The available fields are: -# sig_gen - signature generator -# sig_id - signature id -# sig_rev - signatrue revision -# sid - SID triplet -# class - class id -# classname - textual name of class -# priority - priority id -# event_id - event id -# event_reference - event reference -# ref_tv_sec - reference seconds -# ref_tv_usec - reference microseconds -# tv_sec - event seconds -# tv_usec - event microseconds -# timestamp - prettified timestamp (2001-01-01 01:02:03) in UTC -# src - src address as a u_int32_t -# srcip - src address as a dotted quad -# dst - dst address as a u_int32_t -# dstip - dst address as a dotted quad -# sport_itype - source port or ICMP type (or 0) -# sport - source port (if UDP or TCP) -# itype - ICMP type (if ICMP) -# dport_icode - dest port or ICMP code (or 0) -# dport - dest port -# icode - ICMP code (if ICMP) -# proto - protocol number -# protoname - protocol name -# flags - flags from UnifiedAlertRecord -# msg - message text -# hostname - hostname (from barnyard.conf) -# interface - interface (from barnyard.conf) -# -# Examples: -# output alert_csv: /var/log/snort/csv.out -# output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode -# output alert_csv: csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode - - -# alert_syslog -#----------------------------- -# Converts data from the alert stream into an approximation of Snort's -# syslog alert output plugin. Same arguments as the output plugin in snort. - -#output alert_syslog - -# alert_syslog2 -#------------------------------- -# Generates a syslog alert. This supports considerably more features than -# the original syslog output plugin. -# -# output alert_syslog2 +# config localtime -# log_pcap -#----------------------------- -# Converts data from the dp_log plugin into standard pcap format -# Argument: - -#output log_pcap - -# acid_db -#------------------------------- -# Available as both a log and alert output plugin. Used to output data into -# the db schema used by ACID -# Arguments: -# $db_flavor - what flavor of database (ie, mysql) -# sensor_id $sensor_id - integer sensor id to insert data as -# database $database - name of the database -# server $server - server the database is located on -# user $user - username to connect to the database as -# password $password - password for database authentication -# output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root -# output log_acid_db: mysql, database snort, server localhost, user root, detail full - # sguil -#---- # This output plug-in is used to generate output for use with the SGUIL user # interface. To learn more about SGUIL, go to http://sguil.sourceforge.net # -#output sguil: mysql, sensor_id 0, database sguildb, server syn, user root,\ -# password dbpasswd, sguild_host syn, sguild_port 7736 - - - - +output sguil