Snort mailing list archives

Previous By Date Next
Previous By Thread Next

barnyard ignores msg text on custom rules?

From: "Michael Scheidell" <scheidell () secnap net>
Date: Sat, 27 Apr 2002 14:36:56 -0400
I think that barnyard ignores text on custom/experimental rules, those rules
without a sid.

I set up snort->barnyard with mysql,cvs,pcap and fst alert logging.

here is rule:
alert tcp any 110 -> any any \
(msg: "EXPERIMENTAL Klex.E worm attempt"; flags:A+; content:"Worm Klez.E
immuni$
content:"Content-Type\: multipart"; nocase;classtype:misc-activity;)

fast alert shows:
------------------------------------------------------------------------
04/27/02-18:10:11.720351  {TCP} 10.1.1.10:110 -> 10.1.1.41:2800
[**] [1:0:0] Snort Alert [1:0:0] [**]
[Classification: Misc activity] [Priority: 3]

mysqldb also only shows Snort Alert [1:0:0]

would I have to create an sid and add it to sid-msg.map in order to get my
custom message into the log/message?

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell () secnap net
http://www.secnap.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: