* Introduction

Barnyard has 3 modes of operation:

One-shot, continual, continual w/ checkpoint.  In one-shot mode,
barnyard will process the specified file and exit.  In continual mode,
barnyard will start with the specified file and continue to process
new data (and new spool files) as it appears.  Continual mode w/
checkpointing will also use a checkpoint file (or waldo file in the
snort world) to track where it is.  In the event the barnyard process
ends while a waldo file is in use, barnyard will resume processing at
the last entry as listed in the waldo file.

The "-f", "-w", and "-o" options are used to determine which mode
barnyard will run in.  It is legal for both the "-f" and "-w" options
to be used on the command line at the same time, however any data that
exists in the waldo file will override the command line data from the
"-d", "-f", and "-s" options.  See the command directives section
below for more detail.

Barnyard processing is controlled by two main types of directives:
Input processors and output plugins.  The input processors read
information in from a specific format ( currently the spo_unified
output module of Snort ) and output them in one of several ways.
Barnyard allows Snort to write to disk in an efficient manner and
leaves the task of parsing binary data into various formats to a
separate process that will not cause Snort to miss network traffic.

* Input Processors

- Alert

The dp_alert data processor is capable of reading the alert (event)
format generated by Snort's spo_unified plug-in.  It is used with
output plug-ins that support the "alert" input type.  Alerts are the
high-level data associated with a specific event such as source and
destination ip and port and rule id.

This plug-in takes no arguments.


Syntax:

    processor dp_alert

- Log

The dp_log data processor is capable of reading the log format
generated by Snort's spo_unified plug-in.  It is used with output
plug-ins that support the "log" input type.  Log information is the
raw packets that are captured with a tag option, log rule, or the data
that set off a specific event.

This plug-in takes no arguments.

Syntax:

    processor dp_log


* Output Processors

- Alert Fast

This output processor converts data from the dp_alert plugin into an
approximation of Snort's "fast alert" mode.

This plug-in takes no arguments.

Syntax:

    output alert_fast

- Log dump

The log_dump processor converts data from the dp_log plugin
into human readable packet dumps

Syntax:

    output log_dump



* Command line directives


By default, barnyard will run in continual mode without checkpointing.
Checkpointing can be enabled with the "-w" option.  One-shot mode is
enabled with the "-o" option.  NOTE:  When running in one-shot mode,
you MUST NOT specify the "-t" or "-w" options.

-a <archive directory>
    This option enables automated archiving of spool files after
	they have been processed.  The argument specifies the directory
	the spool files will be moved to.  Do not use this option if you
	have multiple instances of barnyard processing the same set of
	spool files.  **THIS OPTION HAS NOT YET BEEN IMPLEMENTED**

-c <conffile>
	This option specifies the configuration file to use
	
-d <spool directory>
	This option specifies the directory to read spool files from.
	The default is "/var/log/snort".

-f <spool_file>
	This option specifies the base name of the spool file in continual
	mode.  If "one-shot" mode has been enabled, this is the file that
	will be processed.

-g <filename>
        Set the generator names file. This file maps snort
        preprocessor alert messages with specific preprocessor events

-h or -?
	This option displays the usage data and exits.

-o 
	This option enables one-shot mode. This is a one-time pass
	through the spool file that will end when the end of the file
	has been reached

-s <filename>
        Specify the sid map file.  The sid map correlates snort id's
        with the specific alert message

-t <time_t for extension>
	The spool files created by the unified output plugin have an 
	extension of the time (in seconds since epoch) when the file was
	created.  This option specifies the minimum time value for the 
	first file to be processed.  The file with a time extension
	greater than or equal to this value will be the first file
	processed.  Older files will be ignored.  The default is 0.

-w <waldo file>
	This option both enables checkpointing and specifies the
	name of the checkpoint file to use.  A waldo file allows
	barnyard to keep track of the last point of file processing
	for growing log files.
	
-L <filepath>
    Specify the output log dir and file.

-R 
    Dry run mode.  This process parses the commandline and config files,
    displays the parsed configuration and exits.  This is useful for
    debugging problems.

Example Usage:

Uses the configuration files in /etc/snort ( the default locations )
and monitors the /var/log/snort directory and monitoris the
snort.alert* files.

barnyard  -c /etc/snort/barnyard.conf \
    -d /var/log/snort -g /etc/snort/gen-msg.map \
    -s /etc/snort/sid-msg.map  -f snort.alert

================================================================================
Signal Handling

Barnyard recognizes several signals.  The following identifies those signals for
which barnyard has handlers installed and the actions taken on those signals.

    SIGHUP  - reload configuration
    SIGINT  - clean exit
    SIGQUIT - clean exit
    SIGTERM - clean exit


