Snort mailing list archives

Re: [Barnyard-users] Barnyard: classification off by one?

From: "Andrew R. Baker" <andrewb () snort org>
Date: Sun, 06 Oct 2002 11:34:53 -0400

Michael Scheidell wrote:

this is where change logs, and server configuration logs should be required
(by me!)
Three systems, identical (well, obviously not!)
Two systems show classification next that is NOT the same as was requested
md5 checksums on barnyard and classification.config are exact.
md5 checksums on snort are exact.

even cerebus shows it off by one when it reads the barnyard file.

what and where and how does snort send that info to barnyard?
does it send it an 'index' number? after reading the sid-map file?
I guess there could be problem if that 'index' number changed, ie a new
sid-msg file, right?

in fast.alert plugin for barnyard,
Version 0.1.0-rc2 (Build 11)
using released snort 1.9.0

Barnyard had a bug where it indexed the classifications differently thanSnort did (off by one). I sent out a patch a few weeks ago that fixedthis. Hopefully I can get a new tarball up on snort.org today or tomorrow.


-A




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Barnyard: classification off by one? Michael Scheidell (Oct 05)
- Re: Barnyard: classification off by one? Dragos Ruiu (Oct 05)
- Re: [Barnyard-users] Barnyard: classification off by one? Andrew R. Baker (Oct 06)