Well it’s finally been a productive weekend of coding and the result is two new output plugins for barnyard2.

Both plugins provide syslog logging support to either the localhost using standard syslog() calls or a remote syslog host via UDP datagrams. The difference between the two plugins are message formats, where one uses the more common Snort syslog format and the other using the Common Event Format (CEF) that has been proposed by ArcSight.

Head to the project page or download here.

Examples of these messages are shown below on some test alerts, generated by large ICMP packets.

Snort Format

[1:499:4] DELETED ICMP Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]{ICMP} 192.168.10.8-192.168.10.8
[1:499:4] DELETED ICMP Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]{ICMP} 192.168.10.1-192.168.10.1
[1:480:5] ICMP PING speedera [Classification: Misc activity] [Priority: 3]{ICMP} 192.168.10.8-192.168.10.8

CEF Format

CEF:0|snort|barnyard|0.4|1:499:4|DELETED ICMP Large ICMP Packet |9|src=192.168.10.8 dst=192.168.10.8 proto=ICMP
CEF:0|snort|barnyard|0.4|1:499:4|DELETED ICMP Large ICMP Packet |9|src=192.168.10.1 dst=192.168.10.1 proto=ICMP
CEF:0|snort|barnyard|0.4|1:480:5|ICMP PING speedera|8|src=192.168.10.8 dst=192.168.10.8 proto=ICMP