[Snort-users] barnyard & snort options

Jo jo at ...9672...
Fri Jul 18 05:36:26 EDT 2003


hi,

i use barnyard with
/usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -g
/etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -f snort.log -w
/var/log/snort/waldo
and
config daemon
config hostname: spawn
config interface: ppp0
config filter: none
processor dp_alert
processor dp_log
processor dp_stream_stat
output log_dump

for test purposes i started snort with D, Dd, De and DX and get by all
options the same log

[**] [1:1122:4] WEB-MISC /etc/passwd [**]
[Classification: Attempted Information Leak] [Priority: 2]
Event ID: 2     Event Reference: 2
07/17/03-19:42:59.702279 192.168.63.3:4864 -> x.x.x.x:80
TCP TTL:128 TOS:0x0 ID:41229 IpLen:20 DgmLen:420 DF
***AP*** Seq: 0x55C7FD49  Ack: 0x879C2314  Win: 0x4230  TcpLen: 20
47 45 54 20 2F 2E 2E 2F 2E 2E 2F 65 74 63 2F 70  GET /../../etc/p
61 73 73 77 64 20 48 54 54 50 2F 31 2E 31 0D 0A  asswd HTTP/1.1..
41 63 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69  Accept: image/gi
66 2C 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D  f, image/x-xbitm
61 70 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20  ap, image/jpeg,
69 6D 61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70  image/pjpeg, app
6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D  lication/vnd.ms-
70 6F 77 65 72 70 6F 69 6E 74 2C 20 61 70 70 6C  powerpoint, appl
69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65  ication/vnd.ms-e
78 63 65 6C 2C 20 61 70 70 6C 69 63 61 74 69 6F  xcel, applicatio
6E 2F 6D 73 77 6F 72 64 2C 20 61 70 70 6C 69 63  n/msword, applic
61 74 69 6F 6E 2F 78 2D 73 68 6F 63 6B 77 61 76  ation/x-shockwav
65 2D 66 6C 61 73 68 2C 20 2A 2F 2A 0D 0A 41 63  e-flash, */*..Ac
63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 64  cept-Language: d
65 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69  e..Accept-Encodi
6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74  ng: gzip, deflat
65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D  e..User-Agent: M
6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70  ozilla/4.0 (comp
61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 35  atible; MSIE 5.5
3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 30  ; Windows NT 5.0
3B 20 54 33 31 32 34 36 31 29 0D 0A 48 6F 73 74  ; T312461)..Host
3A 20 77 77 77 2E 70 65 72 69 73 65 63 2E 64 65  : www.xxxxxxx.de
0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65  ..Connection: Ke
65 70 2D 41 6C 69 76 65 0D 0A 0D 0A              ep-Alive....

make this sense?
thx for help
jo






More information about the Snort-users mailing list