[Snort-users] Base Barnyard and Unified Logs

Esler, Joel CNTR/Sytex joel.esler at ...9426...
Mon Mar 14 14:41:06 EST 2005


BASE gets it's info from the database.  What you put in the database is
up to you.  BASE reads it raw out of the database.  I agree with
everyone else, I think your sid-msg.map is messed up.  I would point
barnyard at your sid-msg.map that is updated.  (I would also recommend
using IDSPM to manage your rules and auto-fix your sid-msg.map)

BASE does not read raw files, it will not read your sid-msg.map.  I had
a discussion with Marty recently about possibly generating the sid-
msg.map on startup, or some kind of method to autogenerate it so this
type of thing does not happen.

Joel Esler
BASE Project Lead

On Mon, 2005-03-14 at 17:30 -0500, Wes Young wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I know... I have done that... which is why Aanval works...
> 
> but Base Does not.... trying to figure that part out (where base gets
> all it's info)
> 
> Paul Schmehl wrote:
> | --On Monday, March 14, 2005 04:05:36 PM -0500 Wes Young
> | <wcyoung at ...12754...> wrote:
> |
> |>
> |> I thought barnyard uses the sid-msg.map to read the sid and then inserts
> |> ~ the sig details to the DB, no? I don't specify the sid-msg.map anywhere
> |> else, hense why Aanval works perfectly, but base, does not.
> |>
> | You *do* have to tell barnyard where the sid-msg.map is.  Otherwise it
> | will not be able to parse the sids to msgs.
> |
> | You do it one of two ways:
> |
> | In the config file:
> | config sid-msg-map: /path/to/sig-msg.map
> |
> | On the commandline:
> | barnyard -s /path/to/sid-msg.map
> |
> | Paul Schmehl (pauls at ...6838...)
> | Adjunct Information Security Officer
> | The University of Texas at Dallas
> | AVIEN Founding Member
> | http://www.utdallas.edu
> |
> |
> 
> - --
> Wes Young
> Network Security Analyst
> University at Buffalo
> GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iD8DBQFCNhCT1M5o0FsrrbERAn9eAJ9YT7Cew3I7vemWhhSvyfhUu0VdeACgh4ml
> BM/OQflMZU5yQXEIgTKWIoU=
> =6Eoc
> -----END PGP SIGNATURE-----
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Esler, Joel CNTR/Sytex <joel.esler at ...9426...>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050314/40610d56/attachment.html>


More information about the Snort-users mailing list