Snort mailing list archives
Re: Snort, Barnyard2 and Snorby alert classification mismatch
From: beenph <beenph () gmail com>
Date: Wed, 16 Jan 2013 08:40:28 -0500
Forgot to say that you could also update the priority manually with a UPDATE statement. -elz On Wed, Jan 16, 2013 at 8:37 AM, beenph <beenph () gmail com> wrote:
On Wed, Jan 16, 2013 at 8:14 AM, hanx hi <hanxhi () yahoo com ar> wrote:Hi everyone, I have this issue, maybe someone can help. I'm running Snort 2.9.4 along with Barnyard2 2.1.9 and Snorby 2.5.4 as a frontend. My problems is that I cannot match any snort rule classification with Snorby severity.Hi Hanx Hi, First i would suggest that you update to latest barnyard2 (www.github.com/firnsy/barnyard2)For example, I have this rule in Snort: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP login attempt"; flow:established,to_client; content:"530 "; depth:4; metadata:policy security-ips alert; reference:url,www.ietf.org/rfc/rfc0959.txt; sid:13360; rev:3; priority:10;) As you can see, at the end of a line I assign a priority of 10 to that rule; when I triggerYou changed the priority, for it to be set correctly you would need to delete the rule you have inserted in the database and re-run barnyard2. The rule would then be at the good priority (if you have changed it betwen the first insertion and a later insertion). Hope this helps, -elz
------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort, Barnyard2 and Snorby alert classification mismatch hanx hi (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch beenph (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch beenph (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch hanx hi (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch beenph (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch beenph (Jan 16)