Snort mailing list archives
barnyard alert_fast not compatible with snort -A fast?
From: "Michael Scheidell" <scheidell () fdma com>
Date: Mon, 29 Apr 2002 21:56:04 -0400
snort 1.8.6 sends a fast alert like this: (snort -A fast -c /usr/local/etc/snort.conf) all on one line: 04/29-21:25:50.896957 \ [**] [1:1002:2] WEB-IIS cmd.exe access [**]\ [Classification: Web Application Attack] [Priority: 1] \ {TCP} 207.18.92.26:3840 -> 10.1.1.10:80 snort-> barnyard does this: one line each, a different order, AND appends a ------------ after entry ) programs that parse the fast.alert file have to fail am I missing some option in barnyard.conf? 04/29/02-21:47:47.760815 (TCP} 207.18.92.26:3934 -> 10.1.1.10:80 [**] [1:1113:1] WEB-MISC http directory traversal [**] [Classification: Attempted Information Leak] [Priority: 2] [Xref => http://www.whitehats.com/info/IDS297] ------------------------------------------------------------------------ least we look at snort -A full, its even more different, and I can't see a alert_full for barnyard. -- Michael Scheidell SECNAP Network Security, LLC (561) 368-9561 scheidell () secnap net http://www.secnap.net
Current thread:
- barnyard alert_fast not compatible with snort -A fast? Michael Scheidell (May 01)