Snort mailing list archives
Re: Base Barnyard and Unified Logs
From: "Esler, Joel CNTR/Sytex" <joel.esler () rcert-s army mil>
Date: Mon, 14 Mar 2005 17:40:14 -0500
BASE gets it's info from the database. What you put in the database is up to you. BASE reads it raw out of the database. I agree with everyone else, I think your sid-msg.map is messed up. I would point barnyard at your sid-msg.map that is updated. (I would also recommend using IDSPM to manage your rules and auto-fix your sid-msg.map) BASE does not read raw files, it will not read your sid-msg.map. I had a discussion with Marty recently about possibly generating the sid- msg.map on startup, or some kind of method to autogenerate it so this type of thing does not happen. Joel Esler BASE Project Lead On Mon, 2005-03-14 at 17:30 -0500, Wes Young wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I know... I have done that... which is why Aanval works... but Base Does not.... trying to figure that part out (where base gets all it's info) Paul Schmehl wrote: | --On Monday, March 14, 2005 04:05:36 PM -0500 Wes Young | <wcyoung () buffalo edu> wrote: | |> |> I thought barnyard uses the sid-msg.map to read the sid and then inserts |> ~ the sig details to the DB, no? I don't specify the sid-msg.map anywhere |> else, hense why Aanval works perfectly, but base, does not. |> | You *do* have to tell barnyard where the sid-msg.map is. Otherwise it | will not be able to parse the sids to msgs. | | You do it one of two ways: | | In the config file: | config sid-msg-map: /path/to/sig-msg.map | | On the commandline: | barnyard -s /path/to/sid-msg.map | | Paul Schmehl (pauls () utdallas edu) | Adjunct Information Security Officer | The University of Texas at Dallas | AVIEN Founding Member | http://www.utdallas.edu | | - -- Wes Young Network Security Analyst University at Buffalo GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCNhCT1M5o0FsrrbERAn9eAJ9YT7Cew3I7vemWhhSvyfhUu0VdeACgh4ml BM/OQflMZU5yQXEIgTKWIoU= =6Eoc -----END PGP SIGNATURE----- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Esler, Joel CNTR/Sytex <joel.esler () rcert-s army mil>
Current thread:
- Base Barnyard and Unified Logs Wes Young (Mar 14)
- <Possible follow-ups>
- RE: Base Barnyard and Unified Logs Michael Scheidell (Mar 14)
- RE: Base Barnyard and Unified Logs Jim O'Leary (Mar 14)
- Re: Base Barnyard and Unified Logs Wes Young (Mar 14)
- Re: Base Barnyard and Unified Logs Wes Young (Mar 14)
- Re: Base Barnyard and Unified Logs Paul Schmehl (Mar 14)
- Re: Base Barnyard and Unified Logs Wes Young (Mar 14)
- Re: Base Barnyard and Unified Logs Esler, Joel CNTR/Sytex (Mar 14)
- Re: Base Barnyard and Unified Logs Wes Young (Mar 14)
- Re: Base Barnyard and Unified Logs Paul Schmehl (Mar 14)
- Re: Base Barnyard and Unified Logs Wes Young (Mar 14)
- RE: Base Barnyard and Unified Logs Lee Clemens (Mar 14)
- Re: Base Barnyard and Unified Logs Joel Esler (Mar 21)
- Re: Base Barnyard and Unified Logs Wes Young (Mar 14)
- Re: Base Barnyard and Unified Logs Jerry (Mar 25)
- Re: Base Barnyard and Unified Logs Dirk Geschke (Mar 26)
- Re: Base Barnyard and Unified Logs Wes Young (Mar 26)
- Re: Base Barnyard and Unified Logs Dirk Geschke (Mar 29)