Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort_inline + barnyard2 + base

From: Fábio Ferrão <ferrao04 () gmail com>
Date: Thu, 29 Apr 2010 19:56:18 +0000
Guys,

I have a FreeBSD 7.2-stable.
I have installed snort-2.8.5.3 with enable-inline and enable-ipfw and I have
barnyard2-1.7
The snort and barnyard2 initialize successfully. The snort record alerts in
snort.u2 (binary alerts) and barnyard2 forward the alerts to database.

*snort.conf*
output unified2: filename snort.u2, limit 128

*barnyard2.conf*
input unified2
output database: log, mysql, user=snort password=xxxxx dbname=snort_bd
host=10.10.10.100 sensor_name=fw1

My problem is: I only see in my BASE portscan preprocessor alerts (portscan:
TCP Portscan, portscan: TCP Decoy Portscan, portscan: TCP Distributed
Portscan and etc.).
When I initialize snort forwarding the alerts to database instead to record
in snort.u2 (binary format), I see ALL alerts in BASE. I don't understand!

This problem is only happening when I initialize snort_inline (IPS) +
barnyard2. When I initialize snort (IDS) + barnyard2, I see ALL alerts in
BASE.
 Can somebody help me?
Thanks.

-- 
Fábio Ferrão

"E conhecereis a verdade e a verdade vos libertará".    João 8.32
"And you will know the truth and the truth you will free".    John 8.32

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: