Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort>Unified2>Barnyard2>Syslog

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 12 Jan 2012 19:24:54 +0000
The entries for those signatures are not in the sid-msg.map file and/or
you have not restarted barnyard2 since you have updated the rules.

-- Eoin

On 1/12/2012 7:11 PM, amN0P () me com wrote:

Hi everyone,
 
Cannot figure this out. I have barnyard2 reading unified2 Snort output.
Barnyard2 is configured to dump syslog. In syslog files I am getting
these types of Snort alerts:
 
Jan 12 13:43:41 argonatl snort: [1:20584:1] Snort Alert [1:20584:0]
[Classification: Web Application Attack] <remaining part suppressed>
 
Not sure why the exact rule name is replaced by "Snort Alert". This
alert has msg missing as well. The above type of alerts are getting
reported along with alerts with expected/correct (with proper alert name
and msg) alerts like.
 
Jan 12 13:43:41 argonatl snort: [1:12391:3] POLICY Google Webmail client
chat applet [Classification: Potential Corporate Privacy Violation]
[Priority: 1]:<remaining part suppressed>
 
Not sure what I am doing wrong. Can you please point me to the right
direction.
 
Thanks,
Amit


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: