Re: Base Barnyard and Unified Logs

[Paul Schmehl <pauls () utdallas edu>]

--On Monday, March 14, 2005 05:30:43 PM -0500 Wes Young 
<wcyoung () buffalo edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I know... I have done that... which is why Aanval works...
Then the problem isn't barnyard.

> but Base Does not.... trying to figure that part out (where base gets
> all it's info)
Base gets its info from the db.  If you run the following query, you will 
see what's there:
select sig_id,sig_name from signature;

If you have entries in there that look like this:
Snort Alert [1:3192:0]

Then you either don't have an entry for the signature (e.g. sid:3192) in 
the sid-msg.map or you need to restart barnyard so it can parse the file 
again.  Every time the sid-msg.map changes, barnyard has to be HUP'd so it 
can reread the file.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users