[Snort-users] Problems with so_rules+base+barnyard2.

JJ Cummings cummingsj at ...11827...
Fri Aug 6 21:39:06 EDT 2010


And this file is created automatically if you use pulledpork

Sent from the iRoad

On Aug 6, 2010, at 19:04, Nigel Houghton <nhoughton at ...1935...> wrote:

> On Fri, 6 Aug 2010 21:48:35 -0300, David Guimaraes wrote:
>> Hello.. I follow this post
>> 
> (http://eatingsecurity.blogspot.com/2008/10/snort-shared-object-rules-with-sguil.html)
>> to make so_rules stub. These stubs were generated fine, but the
>> problem is that barnyard do not translate these stubs rules correctly.
>> 
>> I followed the right step to append the generated rules to
>> /etc/snort/gen-msg.map (using oinkmaster create-sid tool), and i
>> configured barnyard.conf according.
>> 
>> barnyard config:
>> config reference_file:      /etc/snort/reference.config
>> config classification_file: /etc/snort/classification.config
>> config gen_file:            /etc/snort/gen-msg.map
>> config sid_file:                /etc/snort/sid-msg.map
>> 
>> gen-msg.map:
>> 1 || 1 || snort general alert
>> 2 || 1 || tag: Tagged Packet
>> 3 || 10126 || WEB-CLIENT QuickTime JPEG Huffman Table integer 
>> underflow attempt
>> 3 || 10127 || DOS Microsoft IP Options denial of service
>> ..
>> 
>> But when some so_rules fire, I looked at BASE, and I saw this:
>> [snort] Snort Alert [1:14644:0]
>> 
>> I think barnyard is not catching(translating) these alerts correctly,
>> right? What should I do?
>> 
>> Thanks.
> 
> The file you need to append the information to is the sid-msg.map not 
> the gen-msg.map.
> 
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by 
> 
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list