Re: [Sguil-users] Can't start barnyard

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Log_packets.sh starts a snort proc in binary (pcap) capture mode only.
It doesn't do any type of "IDS" work.

You must run a second instance of snort in IDS mode and logging to
unified out. Barnyard should read that output instead (the error
you're getting is from trying to parse a pcap file with barnyard).

Bammkkkk

On Wed, 23 Feb 2005 16:49:00 -0600, Paul Schmehl <pa...@ut...> wrote:
> Now that I've built the ports for barnyard, sancp, sguil-sensor and
> sguil-server, I'm trying to actually get the beast up and running.  :-)
> 
> Barnyard fails with a fatal error: FATAL ERROR: ERROR: No input plugin
> found for magic: a1b2c3d4.  (I have another instance of barnyard feeding
> data to BASE, and it works fine, so it's not the install of barnyard that's
> causing this problem.)
> 
> Looking through previous posts in snort-users, I see that this error is
> caused by not having the correct format in the output file from snort.
> 
> Looking through log_packets.sh, I don't see anywhere that the output of
> snort is specified.  Does snort output log_unified by default if no output
> is specified?  Log_packets.sh also doesn't point to a snort.conf file.  Is
> the location of the conf file assumed?  Or is it not used?
> 
> Paul Schmehl (pa...@ut...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Sguil-users mailing list
> Sgu...@li...
> https://lists.sourceforge.net/lists/listinfo/sguil-users
> 

-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net