[Snort-users] Base Barnyard and Unified Logs

Paul Schmehl pauls at ...6838...
Mon Mar 14 14:50:34 EST 2005


--On Monday, March 14, 2005 05:30:43 PM -0500 Wes Young 
<wcyoung at ...12754...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I know... I have done that... which is why Aanval works...
>
Then the problem isn't barnyard.

> but Base Does not.... trying to figure that part out (where base gets
> all it's info)
>
Base gets its info from the db.  If you run the following query, you will 
see what's there:
select sig_id,sig_name from signature;

If you have entries in there that look like this:
Snort Alert [1:3192:0]

Then you either don't have an entry for the signature (e.g. sid:3192) in 
the sid-msg.map or you need to restart barnyard so it can parse the file 
again.  Every time the sid-msg.map changes, barnyard has to be HUP'd so it 
can reread the file.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list