Re: Problems with snort, Barnyard2 and mysql database

[beenph <beenph () gmail com>]

Greetings Dimitry,

The barnyard2 message is explicit but here is that it mean's,

I am assuming you created a test rule with sid:10000001; and msg:"ICMP test";

You will need to also add rev:1; to that rule in its body.

Then stop snort.
stop barnyard2

Delete all your unified2 file, restart snort and restart barnyard2.


Cheers,
-elz

On Mon, Oct 29, 2012 at 10:37 AM, Dmitry Korzhevin
<dmitry.korzhevin () stidia com> wrote:
> Hello,
>
> I use Debian 6.0.6 and install snort, barnyard2, and other stuff using
> guide: Snort 2.9.3.1 on Debian 6.0.5 by Jason Weir from
> http://www.snort.org/docs
>
> When i make test run of snort with command:
>
> /usr/local/bin/snort -A console -q -u snort -g snort -c
> /etc/snort/snort.conf -i eth0
>
> i get normal output:
>
> 10/29-15:27:53.814919  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1
> 10/29-15:27:54.810969  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1
> 10/29-15:27:55.810942  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1
> 10/29-15:28:02.370578  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {ICMP} 89.252.56.204 -> 91.250.80.33
> 10/29-15:28:02.370690  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {ICMP} 91.250.80.33 -> 89.252.56.204
> 10/29-15:28:03.373918  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {ICMP} 89.252.56.204 -> 91.250.80.33
> 10/29-15:28:03.374001  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {ICMP} 91.250.80.33 -> 89.252.56.204
> 10/29-15:28:04.373154  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {ICMP} 89.252.56.204 -> 91.250.80.33
> 10/29-15:28:04.373243  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
> {ICMP} 91.250.80.33 -> 89.252.56.204
>
> When i run:
>
>  /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
> &
>
> to start snort, and then start barnyard2:
>
> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
> snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S
> /etc/snort/sid-msg.map -C /etc/snort/classification.config &
>
> I get output:
>
> http://dpaste.com/820057/
>
> Please help
>
>
>
> Best Regards,
> Dmitry
>
> ---
> Dmitry KORZHEVIN
> System Administrator
> STIDIA S.A. - Luxembourg
>
> e: dmitry.korzhevin () stidia com
> m: +38 093 874 5453
> w: http://www.stidia.com
>
>
> ------------------------------------------------------------------------------
> The Windows 8 Center - In partnership with Sourceforge
> Your idea - your app - 30 days.
> Get started!
> http://windows8center.sourceforge.net/
> what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
The Windows 8 Center - In partnership with Sourceforge
Your idea - your app - 30 days.
Get started!
http://windows8center.sourceforge.net/
what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!