[Snort-devel] Barnyard & Snort

peleus peleus at ...1667...
Mon Nov 11 14:48:03 EST 2002


        That is ok, I was rushing the email out anyway and I wrote IP's
insteads of ports.  Anyway, I made some changes to Snort's op_fast.c file
to allow it to take in an extra flag called "Standard_Mode".  If the
"Standard_mode" flag is set then op_fast will print out the data in
Snort's native fast_alert format instead of the current Barnyard
approximation format.  This allows me to use other utilities that expect
Snort's formatting.  Would these changes be advantageous to the overall
Barnyard development?  If so, what is the best way to get them to you
guys?  The code should be reviewed by someone closer to the project before
check-in.  It works in _my_ environment ;).
        Also, I am working on making changes to the spp_portscan2
preprocessor to allow conf file entries for ignoring certain ports.  In
our environment it is "normal" for one IP (customer) to connect to several
different servers on port 80.  I need a way for port 80 not to be
considered a part of a portscan.  If this addition would be of interest to
the general group then let me know and I will send it in when I am done.

thanks,
  -Peleus



On Thu, 7 Nov 2002, Bamm (Robert) Visscher wrote:

> Sorry, I read this as alert FULL not FAST. I and was assuming you were  
> looking for more content. My wife put me on "1/2 the caffine" coffee, it
> must be her fault. That is my story, and I am sticking to it.
>
> Bammkkkk
>    
> On Thu, 2002-11-07 at 13:45, Peleus G. Uhley wrote:
> >
> >     Sorry, I was looking at the wrong log when I wrote this.  BY does
> > show IPs for ICMP alerts.
> >
> >
> > -Peleus






More information about the Snort-devel mailing list