Rolf, that is possible since SEC can use any text file as input.
If barnyard outputs events in multiline format withyour setup, you can take
advantage of multi-line match features of SEC (regexpN patterns with
--nojointbuf command line option). If you are creating output events with
barnyard's alert_syslog or syslog_full plugins, you have single-line events
and don't need to bother with multiline matching.
kind regards,
risto
2013/10/25 Rolf Nufable <[email protected]>
>
> HI! one question
>
> is there a way for sec to read from a text file and use its configured
> rules to correlate the data inside the text file??
>
> (I'm using snort to scan network traffic and use barnyard to parse them and
> output them to a text file)..
>
> suggestions is much appreciated :)
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
