ports/107965: security/barnyard-sguil6, create new conf file

Paul Schmehl pauls at utdallas.edu
Mon Jan 15 21:40:20 UTC 2007 

>Number:         107965
>Category:       ports
>Synopsis:       security/barnyard-sguil6, create new conf file
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 15 21:40:19 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Paul Schmehl
>Release:        FreeBSD 6.0-SECURITY i386
>Organization:
The University of Texas at Dallas
>Environment:
System: FreeBSD hostname.utdallas.edu 6.0-SECURITY FreeBSD 6.0-SECURITY #0: Tue Apr 18 08:56:09 UTC 2006 root at builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386


	
>Description:
	There's been some confusion among users regarding the configuration
	file when barnyard is used with sguil 0.6.0 and higher.  This patch
	creates a custom barnyard.conf for use ONLY with sguil 0.6.0.  Users
	need to be very careful about replacing the original conf file with
	this one, because it removes all options except those related to sguil.
>How-To-Repeat:
	
>Fix:

	

--- patch-barnyard.conf begins here ---
--- etc/barnyard.conf.orig	Sat May  1 11:43:29 2004
+++ etc/barnyard.conf	Mon Jan 15 15:16:57 2007
@@ -1,139 +1,22 @@
 #-------------------------------------------------------------
-#   http://www.snort.org    Barnyard 0.1.0 configuration file
+#   http://www.snort.org    Barnyard 0.2.0 configuration file
 #          Contact: snort-barnyard at lists.sourceforge.net
 #-------------------------------------------------------------
 # $Id: barnyard.conf,v 1.9 2004/05/01 16:43:29 andrewbaker Exp $
 ########################################################
-# Currently you want to do two things in here: turn on 
-# available data processors and turn on output plugins.
-# The data processors (dp's) and output plugin's (op's)
-# automatically associate with each other by type and
-# are automatically selected at run time depending on 
-# the type of file you try to load.
+# This config is to be used ONLY for barnyard-sguil6 and
+# will not work for other uses of barnyard such as base
+# because it is missing many of the configuration options
+# that are required for other uses.  The requirements for
+# barnyard use with sguil 0.6.0 and above are minimal.
 ########################################################
 
 # Step 1: configuration declarations
-# To keep from having a commandline that uses every letter in the alphabet
-# most configuration options are set here
-
-# enable daemon mode
-# config daemon
-
 # use localtime instead of UTC (*not* recommended because of timewarps)
-#config localtime
-
-# set the hostname (currently only used for the acid db output plugin)
-config hostname: snorthost
-
-# set the interface name (currently only used for the acid db output plugin)
-config interface: fxp0
-
-# set the filter (currently only used for the acid db output plugin)
-config filter: not port 22
-
-# Step 2: setup the output plugins
-
-# alert_fast
-#-----------------------------
-# Converts data from the dp_alert plugin into an approximation of Snort's 
-# "fast alert" mode.  Argument: <filename>
-
-output alert_fast
-
-# log_dump
-#-----------------------------
-# Converts data from the dp_log plugin into an approximation of Snort's 
-# "ASCII packet dump" mode.  Argument: <filename>
-
-output log_dump
-
-# alert_csv (experimental)
-#---------------------------
-# Creates a CSV output file of alerts (optionally using a user specified format)
-# Arguments:  filepath [format]
-#
-# The format is a comma-seperated list of fields to output (no spaces allowed)
-# The available fields are:
-#   sig_gen         - signature generator
-#   sig_id          - signature id
-#   sig_rev         - signatrue revision
-#   sid             - SID triplet
-#   class           - class id
-#   classname       - textual name of class
-#   priority        - priority id
-#   event_id        - event id
-#   event_reference - event reference
-#   ref_tv_sec      - reference seconds
-#   ref_tv_usec     - reference microseconds
-#   tv_sec          - event seconds
-#   tv_usec         - event microseconds
-#   timestamp       - prettified timestamp (2001-01-01 01:02:03) in UTC
-#   src             - src address as a u_int32_t
-#   srcip           - src address as a dotted quad
-#   dst             - dst address as a u_int32_t
-#   dstip           - dst address as a dotted quad
-#   sport_itype     - source port or ICMP type (or 0)
-#   sport           - source port (if UDP or TCP)
-#   itype           - ICMP type (if ICMP)
-#   dport_icode     - dest port or ICMP code (or 0)
-#   dport           - dest port
-#   icode           - ICMP code (if ICMP)
-#   proto           - protocol number
-#   protoname       - protocol name
-#   flags           - flags from UnifiedAlertRecord
-#   msg             - message text
-#   hostname        - hostname (from barnyard.conf)
-#   interface       - interface (from barnyard.conf)
-#
-# Examples:
-#   output alert_csv: /var/log/snort/csv.out
-#   output alert_csv: /var/log/snort/csv.out  timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode
-#   output alert_csv: csv.out  timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode
-
-
-# alert_syslog
-#-----------------------------
-# Converts data from the alert stream into an approximation of Snort's 
-# syslog alert output plugin.  Same arguments as the output plugin in snort.
-
-#output alert_syslog
-
-# alert_syslog2
-#-------------------------------
-# Generates a syslog alert.  This supports considerably more features than
-# the original syslog output plugin.
-# 
-# output alert_syslog2
+# config localtime
 
-# log_pcap
-#-----------------------------
-# Converts data from the dp_log plugin into standard pcap format 
-# Argument: <filename>
-
-#output log_pcap
-
-# acid_db
-#-------------------------------
-# Available as both a log and alert output plugin.  Used to output data into
-# the db schema used by ACID
-# Arguments: 
-#      $db_flavor           - what flavor of database (ie, mysql)
-#      sensor_id $sensor_id - integer sensor id to insert data as
-#      database $database   - name of the database
-#      server $server       - server the database is located on
-#      user $user           - username to connect to the database as
-#      password $password   - password for database authentication
-# output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root
-# output log_acid_db: mysql, database snort, server localhost, user root, detail full
-        
 # sguil
-#----
 # This output plug-in is used to generate output for use with the SGUIL user
 # interface.  To learn more about SGUIL, go to http://sguil.sourceforge.net
 #
-#output sguil: mysql, sensor_id 0, database sguildb, server syn, user root,\
-#    password dbpasswd, sguild_host syn, sguild_port 7736
-
-
-    
-
+output sguil
--- patch-barnyard.conf ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list