barnyard looses details WRT ACID?

[Jason Haar <Jason.Haar () trimble co nz>]

I'm starting to use barnyard to allow me to create a "central server"
containing all the events from our Snort network. I've got the data coming
over fine - and it imports fine via barnyard.

However, when I go to ACID to view it, a strange thing can be seen. Most of
the entries look 100% fine - but a few show up with bizarre description
names of "Snort Alert [1:XXXXXXX:0]" - where XXXXXXX is the SID.

e.g

I have this Blaster rule

alert tcp any any -> any 135:139 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to
135-139"; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0
16 00 00 00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00
00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02
00 0000|";reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;reference:cve,CAN-2003-0352;
classtype:attempted-admin; sid:1101000; rev:1;resp: rst_all;)

That shows up as "Snort Alert [1:1101000:0]" instead of "Possible dcom...".

Within the actual "real" Snort IDS box, it has "Possible dcom..." - so this
problem is related more to barnyard than snort I guess...

Snort 2.1.1

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users