Snort mailing list archives
Re: Problems with snort, Barnyard2 and mysql database
From: Dmitry Korzhevin <dmitry.korzhevin () stidia com>
Date: Tue, 30 Oct 2012 16:38:52 +0200
Thank you, After i add "rev:1;" to this rule, and restart snort, barnyard2 - it works! 29.10.2012 16:45, beenph пишет:
Greetings Dimitry, The barnyard2 message is explicit but here is that it mean's, I am assuming you created a test rule with sid:10000001; and msg:"ICMP test"; You will need to also add rev:1; to that rule in its body. Then stop snort. stop barnyard2 Delete all your unified2 file, restart snort and restart barnyard2. Cheers, -elz On Mon, Oct 29, 2012 at 10:37 AM, Dmitry Korzhevin <dmitry.korzhevin () stidia com> wrote:Hello, I use Debian 6.0.6 and install snort, barnyard2, and other stuff using guide: Snort 2.9.3.1 on Debian 6.0.5 by Jason Weir from http://www.snort.org/docs When i make test run of snort with command: /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 i get normal output: 10/29-15:27:53.814919 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1 10/29-15:27:54.810969 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1 10/29-15:27:55.810942 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1 10/29-15:28:02.370578 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 89.252.56.204 -> 91.250.80.33 10/29-15:28:02.370690 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 91.250.80.33 -> 89.252.56.204 10/29-15:28:03.373918 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 89.252.56.204 -> 91.250.80.33 10/29-15:28:03.374001 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 91.250.80.33 -> 89.252.56.204 10/29-15:28:04.373154 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 89.252.56.204 -> 91.250.80.33 10/29-15:28:04.373243 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 91.250.80.33 -> 89.252.56.204 When i run: /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 & to start snort, and then start barnyard2: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config & I get output: http://dpaste.com/820057/ Please help Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com ------------------------------------------------------------------------------ The Windows 8 Center - In partnership with Sourceforge Your idea - your app - 30 days. Get started! http://windows8center.sourceforge.net/ what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com
Attachment:
smime.p7s
Description: Криптографическая подпись S/MIME
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problems with snort, Barnyard2 and mysql database Dmitry Korzhevin (Oct 29)
- Re: Problems with snort, Barnyard2 and mysql database beenph (Oct 29)
- Re: Problems with snort, Barnyard2 and mysql database Dmitry Korzhevin (Oct 30)
- Re: Problems with snort, Barnyard2 and mysql database waldo kitty (Oct 30)
- Re: Problems with snort, Barnyard2 and mysql database Dmitry Korzhevin (Oct 30)
- Re: Problems with snort, Barnyard2 and mysql database beenph (Oct 29)