Snort 2.1 Intrusion Detection, Second Edition
This brand-new edition of the best-selling Snort book covers all the latest features of the version 2.1 upgrade to the Snort product.
TABLE OF CONTENTS Snort 2.1 Intrusion Detection, Second Edition
Running Barnyard in Batch-Processing Mode
Of Barnyard s two operational modes, batch-processing mode is the easier to understand (and has fewer configuration options). As already mentioned, in this mode Barnyard processes all of the specified unified files and then exits. Batch processing mode is enabled by specifying the o command-line option. The general format for running Barnyard in batch-processing mode is:
barnyard o [OPTIONS]85 FILES85<a name="970"></a><a name="beginpage.BF99181F-AD2F-4F69-BAAA-180288534263"></a>
| Oink! | The command line for batch processing mode has changed significantly from Barnyard 0.1. While the old syntax still works, we recommend that readers familiarize themselves with the new (hopefully improved) syntax. |
In this format, FILES85 indicates one or more unified files, and [OPTIONS]85 are any of the general configuration options we discussed earlier. To learn more about running Barnyard in batch-processing mode, let s try some examples. Before we begin, let s see what unified files we have available and what the Barnyard configuration file looks like.
# ls /var/log/snortsnort-unified.stats.1078588579snort-unified.stats.1078673083unified.alert.1078588579unified.alert.1078673083unified.log.1078588579unified.log.1078673083# cat /etc/snort/barnyard.confoutput alert_fastoutput log_dump
Processing a Single File
As seen in the preceding code, we have a couple of each of the types of unified output files and a very simple configuration file. These unified files and configuration file will be used for all of the examples in this section. To get started using Barnyard, let s process one of the unified alert files. Since the configuration file is in the default location, we do not need to specify it on the command line.
# barnyard o /var/log/snort/unified.alert.1078588589Barnyard Version 0.2.0 (Build 32)Exiting<a name="972"></a><a name="beginpage.1EB51FD4-0E16-48DA-9278-99CBAFCC47BD"></a>
Copyright Syngress Publishing, Inc. 2004 under license agreement with Books24x7
