FW: [Barnyard-users] BarnYard output reversing IP octets in outpu t

[Joel Healy <Joel.Healy () amphenderson co nz>]

FYI... read inline..  this worked.

cheers

joel

-----Original Message-----
From: Andrew R. Baker [mailto:andrewb () snort org]
Sent: Wednesday, November 06, 2002 9:23 AM
To: Joel Healy
Cc: Barnyard Users (E-mail)
Subject: Re: [Barnyard-users] BarnYard output reversing IP octets in
output


Joel Healy wrote:
> Hi,
> I have been looking at BarnYard and have noticed that it is writing to
logs
> with the IP Addresses with the octets reversed.. eg: d.c.b.a:1065 ->
> d.c.b.a:80
>
> how can i stop this from happening, after reading through barnyard.conf
> fairly thoroughly i can not see anything relevant, and the command line
> options do not appear to be related to this issue...
>
> I am using Hogwasg v0.4 (with snort v1.8.6) with BarnYard 0.1.0 rc3 (build
> 11).

I cannot be sure without verifying, but I would say that Hogwash has not 
been updated with some fixes to the unified output plugin that were 
introduced in 1.9 (and I think 1.8.7).  The bug was that Snort would 
write out all the IP addresses byteswapped from what Barnyard expects to 
read.  Compare the unified output plugin from Snort 1.9 with what you 
have in Hogwash and see if there are any differences.  You should be 
able to copy spo_unified.c from Snort 1.9.0 over to Hogwash without any 
issues (unless the Howgwash people made changes that I am unaware of).

-A




-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Barnyard-users mailing list
Barnyard-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/barnyard-users
(This e-mail message and any accompanying attachments may contain
information that is confidential and subject to legal privilege. If you are
not the intended recipient, do not read, use, disseminate, distribute or
copy this message or attachments.  If you have received this message in
error, please delete the message and, if convenient, inform the sender as
soon as possible.)


-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users