[Snort-users] Base Barnyard and Unified Logs
Esler, Joel CNTR/Sytex
joel.esler at ...9426...
Mon Mar 14 14:41:06 EST 2005
BASE gets it's info from the database. What you put in the database is
up to you. BASE reads it raw out of the database. I agree with
everyone else, I think your sid-msg.map is messed up. I would point
barnyard at your sid-msg.map that is updated. (I would also recommend
using IDSPM to manage your rules and auto-fix your sid-msg.map)
BASE does not read raw files, it will not read your sid-msg.map. I had
a discussion with Marty recently about possibly generating the sid-
msg.map on startup, or some kind of method to autogenerate it so this
type of thing does not happen.
BASE Project Lead
On Mon, 2005-03-14 at 17:30 -0500, Wes Young wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I know... I have done that... which is why Aanval works...
> but Base Does not.... trying to figure that part out (where base gets
> all it's info)
> Paul Schmehl wrote:
> | --On Monday, March 14, 2005 04:05:36 PM -0500 Wes Young
> | <wcyoung at ...12754...> wrote:
> |> I thought barnyard uses the sid-msg.map to read the sid and then inserts
> |> ~ the sig details to the DB, no? I don't specify the sid-msg.map anywhere
> |> else, hense why Aanval works perfectly, but base, does not.
> | You *do* have to tell barnyard where the sid-msg.map is. Otherwise it
> | will not be able to parse the sids to msgs.
> | You do it one of two ways:
> | In the config file:
> | config sid-msg-map: /path/to/sig-msg.map
> | On the commandline:
> | barnyard -s /path/to/sid-msg.map
> | Paul Schmehl (pauls at ...6838...)
> | Adjunct Information Security Officer
> | The University of Texas at Dallas
> | AVIEN Founding Member
> | http://www.utdallas.edu
> - --
> Wes Young
> Network Security Analyst
> University at Buffalo
> GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> -----END PGP SIGNATURE-----
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Esler, Joel CNTR/Sytex <joel.esler at ...9426...>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users