Snort mailing list archives

Previous By Date Next
Previous By Thread Next

barnyard alert_fast not compatible with snort -A fast?

From: "Michael Scheidell" <scheidell () fdma com>
Date: Mon, 29 Apr 2002 21:56:04 -0400
snort 1.8.6 sends a fast alert like this:  (snort -A fast -c
/usr/local/etc/snort.conf)

all on one line:
04/29-21:25:50.896957  \
[**] [1:1002:2] WEB-IIS cmd.exe access [**]\
[Classification: Web Application Attack] [Priority: 1] \
{TCP} 207.18.92.26:3840 -> 10.1.1.10:80
snort-> barnyard does this:
 one line each, a different order, AND appends a ------------ after entry )
programs that parse the fast.alert file have to fail
 am I missing some option in barnyard.conf?

04/29/02-21:47:47.760815  (TCP} 207.18.92.26:3934 -> 10.1.1.10:80
[**] [1:1113:1] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS297]
------------------------------------------------------------------------


least we look at snort -A full, its even more different, and I can't see a
alert_full for barnyard.

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell () secnap net
http://www.secnap.net
Previous By Date Next
Previous By Thread Next

Current thread: