[Snort-users] Problems with so_rules+base+barnyard2.

David Guimaraes skysbsb at ...11827...
Fri Aug 6 20:48:35 EDT 2010


Hello.. I follow this post
(http://eatingsecurity.blogspot.com/2008/10/snort-shared-object-rules-with-sguil.html)
to make so_rules stub. These stubs were generated fine, but the
problem is that barnyard do not translate these stubs rules correctly.

I followed the right step to append the generated rules to
/etc/snort/gen-msg.map (using oinkmaster create-sid tool), and i
configured barnyard.conf according.

barnyard config:
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:                /etc/snort/sid-msg.map

gen-msg.map:
1 || 1 || snort general alert
2 || 1 || tag: Tagged Packet
3 || 10126 || WEB-CLIENT QuickTime JPEG Huffman Table integer underflow attempt
3 || 10127 || DOS Microsoft IP Options denial of service
..

But when some so_rules fire, I looked at BASE, and I saw this:
[snort] Snort Alert [1:14644:0]

I think barnyard is not catching(translating) these alerts correctly,
right? What should I do?

Thanks.

-- 
David




More information about the Snort-users mailing list