1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
--- etc/barnyard.conf.orig Sat May 1 11:43:29 2004
+++ etc/barnyard.conf Mon Jan 15 15:16:57 2007
@@ -1,139 +1,22 @@
#-------------------------------------------------------------
-# http://www.snort.org Barnyard 0.1.0 configuration file
+# http://www.snort.org Barnyard 0.2.0 configuration file
# Contact: snort-barnyard@lists.sourceforge.net
#-------------------------------------------------------------
# $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
########################################################
-# Currently you want to do two things in here: turn on
-# available data processors and turn on output plugins.
-# The data processors (dp's) and output plugin's (op's)
-# automatically associate with each other by type and
-# are automatically selected at run time depending on
-# the type of file you try to load.
+# This config is to be used ONLY for barnyard-sguil6 and
+# will not work for other uses of barnyard such as base
+# because it is missing many of the configuration options
+# that are required for other uses. The requirements for
+# barnyard use with sguil 0.6.0 and above are minimal.
########################################################
# Step 1: configuration declarations
-# To keep from having a commandline that uses every letter in the alphabet
-# most configuration options are set here
-
-# enable daemon mode
-# config daemon
-
# use localtime instead of UTC (*not* recommended because of timewarps)
-#config localtime
-
-# set the hostname (currently only used for the acid db output plugin)
-config hostname: snorthost
-
-# set the interface name (currently only used for the acid db output plugin)
-config interface: fxp0
-
-# set the filter (currently only used for the acid db output plugin)
-config filter: not port 22
-
-# Step 2: setup the output plugins
-
-# alert_fast
-#-----------------------------
-# Converts data from the dp_alert plugin into an approximation of Snort's
-# "fast alert" mode. Argument: <filename>
-
-output alert_fast
-
-# log_dump
-#-----------------------------
-# Converts data from the dp_log plugin into an approximation of Snort's
-# "ASCII packet dump" mode. Argument: <filename>
-
-output log_dump
-
-# alert_csv (experimental)
-#---------------------------
-# Creates a CSV output file of alerts (optionally using a user specified format)
-# Arguments: filepath [format]
-#
-# The format is a comma-seperated list of fields to output (no spaces allowed)
-# The available fields are:
-# sig_gen - signature generator
-# sig_id - signature id
-# sig_rev - signatrue revision
-# sid - SID triplet
-# class - class id
-# classname - textual name of class
-# priority - priority id
-# event_id - event id
-# event_reference - event reference
-# ref_tv_sec - reference seconds
-# ref_tv_usec - reference microseconds
-# tv_sec - event seconds
-# tv_usec - event microseconds
-# timestamp - prettified timestamp (2001-01-01 01:02:03) in UTC
-# src - src address as a u_int32_t
-# srcip - src address as a dotted quad
-# dst - dst address as a u_int32_t
-# dstip - dst address as a dotted quad
-# sport_itype - source port or ICMP type (or 0)
-# sport - source port (if UDP or TCP)
-# itype - ICMP type (if ICMP)
-# dport_icode - dest port or ICMP code (or 0)
-# dport - dest port
-# icode - ICMP code (if ICMP)
-# proto - protocol number
-# protoname - protocol name
-# flags - flags from UnifiedAlertRecord
-# msg - message text
-# hostname - hostname (from barnyard.conf)
-# interface - interface (from barnyard.conf)
-#
-# Examples:
-# output alert_csv: /var/log/snort/csv.out
-# output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode
-# output alert_csv: csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode
-
-
-# alert_syslog
-#-----------------------------
-# Converts data from the alert stream into an approximation of Snort's
-# syslog alert output plugin. Same arguments as the output plugin in snort.
-
-#output alert_syslog
-
-# alert_syslog2
-#-------------------------------
-# Generates a syslog alert. This supports considerably more features than
-# the original syslog output plugin.
-#
-# output alert_syslog2
+# config localtime
-# log_pcap
-#-----------------------------
-# Converts data from the dp_log plugin into standard pcap format
-# Argument: <filename>
-
-#output log_pcap
-
-# acid_db
-#-------------------------------
-# Available as both a log and alert output plugin. Used to output data into
-# the db schema used by ACID
-# Arguments:
-# $db_flavor - what flavor of database (ie, mysql)
-# sensor_id $sensor_id - integer sensor id to insert data as
-# database $database - name of the database
-# server $server - server the database is located on
-# user $user - username to connect to the database as
-# password $password - password for database authentication
-# output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root
-# output log_acid_db: mysql, database snort, server localhost, user root, detail full
-
# sguil
-#----
# This output plug-in is used to generate output for use with the SGUIL user
# interface. To learn more about SGUIL, go to http://sguil.sourceforge.net
#
-#output sguil: mysql, sensor_id 0, database sguildb, server syn, user root,\
-# password dbpasswd, sguild_host syn, sguild_port 7736
-
-
-
-
+output sguil
|
