Re: Fwd: Re: barnyard2-1.10 major problem

["Lawrence R. Hughes, Sr." <lhughes () safemedia com>]

Beenph,

As you suggested yesterday to add the following:

"add  --alert-on-each-packet-in-stream in your barnyard2 command line
and it will work as expected."

This does not work, I have a unified2 file from snort that has 4 packets 
along with the alert, but barnyard2-1.10 is only inserting the first packet 
into the snort.data table???

So far we have increased the CACHED_EVENTS_MAX  from 512 to 2048 and again 
to 4096  (did not help)
added: --alert-on-each-packet-in-stream to barnyard2 command line (did not 
help).

What do you suggest now to get barnyard2-1.10 to work as you say it should?
BTW it never worked in barnyard2-1.8 either.

Thanks,
Larry





----- Original Message ----- 
From: "beenph" <beenph () gmail com>
To: "Jack" <kingofnerds () gmail com>
Cc: <barnyard2-users () googlegroups com>; "snort-users" 
<snort-users () lists sourceforge net>
Sent: Thursday, October 25, 2012 9:18 AM
Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem


> On Thu, Oct 25, 2012 at 9:13 AM, Jack <kingofnerds () gmail com> wrote:
> > ---------- Forwarded message ----------
> > From: "Jack" <kingofnerds () gmail com>
> > Date: Oct 25, 2012 9:11 AM
> > Subject: Re: [Snort-users] barnyard2-1.10 major problem
> > To: "beenph" <beenph () gmail com>
> >
> > Last time I enabled the alert on each packet, I just got more alerts, 
> > what
> > I think is being requested is to have all the packets in a single alert 
> > for
> > one event
>
>
>
> On Thu, Oct 25, 2012 at 9:11 AM, Jack <kingofnerds () gmail com> wrote:
> > Last time I enabled the alert on each packet, I just got more alerts, 
> > what
> > I think is being requested is to have all the packets in a single alert 
> > for
> > one event
>
> Thats not really the way it works.
>
> Since a event can have multiple packet.
>
> At the output plugin level, the output plugin expect a event structure
> and a packet structure.
>
> What the cache does is cache the event structure and when a packet
> matching a previously triggered
> event it will call the output plugin with the associated event
> structure (event record) and the current processed packet.
>
> So its the expected behavior.
>
> The reason i didin't click right away is that the 2.2 spooler like
> this by default. and does not need any command line argument.
>
> -elz
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort 
> news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!