Re: BASE sensor name

["Lay, James" <james.lay () wincofoods com>]

That -F didn't make a difference, bummer but eh..I'll deal with it.  As
for db logging, I'm trying to get the best of both worlds...direct to db
via snort for BASE, and using barnyard2 for sguil...maybe not the best
way, but eh...I want to have a couple frontends to work with for
reporting and whatnot.  Thanks gents.

 

james

 

From: Matthew Jonkman [mailto:jonkman () emergingthreatspro com] 
Sent: Monday, August 01, 2011 9:11 AM
To: Lay, James
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] BASE sensor name

 

That's normal behavior actually. Used to have the issue long ago.

 

If you change the bpf filter it'll create a new sensor instance in the
db each time. A bit annoying, but likely useful in retrospect when
investigating to know what the bpf was.

 

This may be different if you use barnyard for your sql connection
though, which is more effective anyway. (assuming you're not already?)

 

Matt

 

On Aug 1, 2011, at 11:04 AM, Lay, James wrote:





Heh...me either Joel...first time.  I'll give that filter file a shot
though...sounds like just what I need.  Thank you.  Here's a
snap...really wild.

 

http://i290.photobucket.com/albums/ll269/DigiDemon/MWSnap035.jpg

 

James

 

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Monday, August 01, 2011 8:47 AM
To: Lay, James
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] BASE sensor name

 

Huh.  Never heard that one before James.

 

How are you logging?  (output method)

 

You might want to try loading the bpf in a file and then calling the
file through -F

 

Joel

 

On Aug 1, 2011, at 10:42 AM, Lay, James wrote:






Hey all!

 

Real quick...seems like when I start snort with a tcpdump style filter
(snort -c snort.conf "ip and not host blah blah blah") my sensor name
shows up as the sensorname:interface:tcpdumpfilter.  Anyone else seen
anything like this?  It's not a complete pain...just looks kinda dumb ;)
Didn't see any fixes after googling, so I thought I'd ask here.  Thanks
all..have a great week J

 

James

------------------------------------------------------------------------
------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

 


----------------------------------------------------
Matthew Jonkman

Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



 

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation