[Snort-users] Re: [Barnyard-users] Barnyard: classification off by one?

Andrew R. Baker andrewb at ...950...
Sun Oct 6 08:21:03 EDT 2002


Michael Scheidell wrote:
> this is where change logs, and server configuration logs should be required
> (by me!)
> Three systems, identical (well, obviously not!)
> Two systems show classification next that is NOT the same as was requested
> md5 checksums on barnyard and classification.config are exact.
> md5 checksums on snort are exact.
> 
> even cerebus shows it off by one when it reads the barnyard file.
> 
> what and where and how does snort send that info to barnyard?
> does it send it an 'index' number? after reading the sid-map file?
> I guess there could be problem if that 'index' number changed, ie a new
> sid-msg file, right?
> 
> in fast.alert plugin for barnyard,
> Version 0.1.0-rc2 (Build 11)
> using released snort 1.9.0


Barnyard had a bug where it indexed the classifications differently than 
Snort did (off by one).  I sent out a patch a few weeks ago that fixed 
this.  Hopefully I can get a new tarball up on snort.org today or tomorrow.

-A






More information about the Snort-users mailing list