[Snort-users] barnyard alert_fast not compatible with snort -A fast?

Michael Scheidell scheidell at ...3799...
Wed May 1 07:47:33 EDT 2002


snort 1.8.6 sends a fast alert like this:  (snort -A fast -c
/usr/local/etc/snort.conf)

all on one line:
04/29-21:25:50.896957  \
[**] [1:1002:2] WEB-IIS cmd.exe access [**]\
[Classification: Web Application Attack] [Priority: 1] \
{TCP} 207.18.92.26:3840 -> 10.1.1.10:80
snort-> barnyard does this:
 one line each, a different order, AND appends a ------------ after entry )
programs that parse the fast.alert file have to fail
 am I missing some option in barnyard.conf?

04/29/02-21:47:47.760815  (TCP} 207.18.92.26:3934 -> 10.1.1.10:80
[**] [1:1113:1] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS297]
------------------------------------------------------------------------


least we look at snort -A full, its even more different, and I can't see a
alert_full for barnyard.

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...5171...
http://www.secnap.net





More information about the Snort-users mailing list