Snort mailing list archives
Re: Problems with so_rules+base+barnyard2.
From: JJ Cummings <cummingsj () gmail com>
Date: Fri, 6 Aug 2010 19:39:06 -0600
And this file is created automatically if you use pulledpork Sent from the iRoad On Aug 6, 2010, at 19:04, Nigel Houghton <nhoughton () sourcefire com> wrote:
On Fri, 6 Aug 2010 21:48:35 -0300, David Guimaraes wrote:Hello.. I follow this post(http://eatingsecurity.blogspot.com/2008/10/snort-shared-object-rules-with-sguil.html)to make so_rules stub. These stubs were generated fine, but the problem is that barnyard do not translate these stubs rules correctly. I followed the right step to append the generated rules to /etc/snort/gen-msg.map (using oinkmaster create-sid tool), and i configured barnyard.conf according. barnyard config: config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map gen-msg.map: 1 || 1 || snort general alert 2 || 1 || tag: Tagged Packet 3 || 10126 || WEB-CLIENT QuickTime JPEG Huffman Table integer underflow attempt 3 || 10127 || DOS Microsoft IP Options denial of service .. But when some so_rules fire, I looked at BASE, and I saw this: [snort] Snort Alert [1:14644:0] I think barnyard is not catching(translating) these alerts correctly, right? What should I do? Thanks.The file you need to append the information to is the sid-msg.map not the gen-msg.map. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with so_rules+base+barnyard2. David Guimaraes (Aug 06)
- Re: Problems with so_rules+base+barnyard2. Nigel Houghton (Aug 06)
- Re: Problems with so_rules+base+barnyard2. JJ Cummings (Aug 06)
- Re: Problems with so_rules+base+barnyard2. Nigel Houghton (Aug 06)