Snort mailing list archives
Re: Snort>Unified2>Barnyard2>Syslog
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 12 Jan 2012 19:24:54 +0000
The entries for those signatures are not in the sid-msg.map file and/or you have not restarted barnyard2 since you have updated the rules. -- Eoin On 1/12/2012 7:11 PM, amN0P () me com wrote:
Hi everyone, Cannot figure this out. I have barnyard2 reading unified2 Snort output. Barnyard2 is configured to dump syslog. In syslog files I am getting these types of Snort alerts: Jan 12 13:43:41 argonatl snort: [1:20584:1] Snort Alert [1:20584:0] [Classification: Web Application Attack] <remaining part suppressed> Not sure why the exact rule name is replaced by "Snort Alert". This alert has msg missing as well. The above type of alerts are getting reported along with alerts with expected/correct (with proper alert name and msg) alerts like. Jan 12 13:43:41 argonatl snort: [1:12391:3] POLICY Google Webmail client chat applet [Classification: Potential Corporate Privacy Violation] [Priority: 1]:<remaining part suppressed> Not sure what I am doing wrong. Can you please point me to the right direction. Thanks, Amit ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort>Unified2>Barnyard2>Syslog amN0P (Jan 12)
- Re: Snort>Unified2>Barnyard2>Syslog Eoin Miller (Jan 12)