Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [barnyard2-users] Re: Offering a 64bit version of Snort for Windows?

From: "Michael Steele" <michaels () winsnort com>
Date: Thu, 1 Nov 2012 08:17:26 -0400
I'll give 2.1.11 a try when it's released. It looks like all I'll need to do
is add 2048 to the CACHED_MAX_EVENT in the barnyard2.conf.

The error that is printed will be a warning, and there is no actual problem?

Do we need to worry about adjusting the CACHED_MAX_EVENT to anything other
than 2048?

Sometimes there are a rapid succession (5-6) of those warnings multiple
times. 

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************


-----Original Message-----
From: barnyard2-users () googlegroups com
[mailto:barnyard2-users () googlegroups com] On Behalf Of beenph
Sent: Thursday, November 01, 2012 7:32 AM
To: Michael Steele
Cc: barnyard2-users () googlegroups com; snort-devel
Subject: Re: [barnyard2-users] Re: [Snort-devel] Offering a 64bit version of
Snort for Windows?

On Wed, Oct 31, 2012 at 11:54 PM, Michael Steele <michaels () winsnort com>
wrote:

Attached is what is showing in the console window when the warning is 
displayed. It looks like the warning is about a port 1025

Also the log file.

Michael...


Seem's like in your use context sfPortscan is very verbose and its reaching
barnyard2 default CACHED_MAX_EVENT (256) defined in spooler.c, you can edit
spooler.c, and set CACHED_MAX_EVENT to something arround 2048

And with the version of barnyard2  your using you might want to add
--alert-on-each-packet-in-stream to the command line.

--alert-on-each-packet-in-stream is defaulted in 2-1.11 and the
configuration directive config cache_max_event is available in the config
file.

With those changes you will still get an error printed by barnyard2:
XXXXX: Invoked with Packet[0x0] Event[0x6a49e0] Event Type [7] Context
pointer[0x6abb90]

This is related to the following event present in the unified2 file that has
no packet
(Event)
        sensor id: 0    event id: 302   event second: 1351741030
 event microsecond: 722224
        sig id: 18608   gen id: 1       revision: 5      classification: 33
        priority: 1     ip source: 10.0.0.3     ip destination:
XXX.XXX.XXX.XXX
        src port: 59150 dest port: 80   protocol: 6     impact_flag: 0
 blocked: 0


2-1.11 should be released before the end of the week.

Cheers
-elz

-- 






------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: