[Snort-users] BASE sensor name

Lay, James james.lay at ...15009...
Mon Aug 1 11:18:10 EDT 2011

That -F didn't make a difference, bummer but eh..I'll deal with it.  As
for db logging, I'm trying to get the best of both worlds...direct to db
via snort for BASE, and using barnyard2 for sguil...maybe not the best
way, but eh...I want to have a couple frontends to work with for
reporting and whatnot.  Thanks gents.




From: Matthew Jonkman [mailto:jonkman at ...15020...] 
Sent: Monday, August 01, 2011 9:11 AM
To: Lay, James
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] BASE sensor name


That's normal behavior actually. Used to have the issue long ago.


If you change the bpf filter it'll create a new sensor instance in the
db each time. A bit annoying, but likely useful in retrospect when
investigating to know what the bpf was.


This may be different if you use barnyard for your sql connection
though, which is more effective anyway. (assuming you're not already?)




On Aug 1, 2011, at 11:04 AM, Lay, James wrote:

Heh...me either Joel...first time.  I'll give that filter file a shot
though...sounds like just what I need.  Thank you.  Here's a
snap...really wild.






From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Monday, August 01, 2011 8:47 AM
To: Lay, James
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] BASE sensor name


Huh.  Never heard that one before James.


How are you logging?  (output method)


You might want to try loading the bpf in a file and then calling the
file through -F




On Aug 1, 2011, at 10:42 AM, Lay, James wrote:

Hey all!


Real quick...seems like when I start snort with a tcpdump style filter
(snort -c snort.conf "ip and not host blah blah blah") my sensor name
shows up as the sensorname:interface:tcpdumpfilter.  Anyone else seen
anything like this?  It's not a complete pain...just looks kinda dumb ;)
Didn't see any fixes after googling, so I thought I'd ask here.  Thanks
all..have a great week J



Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please see http://www.snort.org/docs for documentation


Matthew Jonkman

Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

PGP: http://www.jonkmans.com/mattjonkman.asc


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110801/417e7c86/attachment.html>

More information about the Snort-users mailing list