[Snort-users] BASE sensor name

Lay, James james.lay at ...15009...
Mon Aug 1 11:18:10 EDT 2011


That -F didn't make a difference, bummer but eh..I'll deal with it.  As
for db logging, I'm trying to get the best of both worlds...direct to db
via snort for BASE, and using barnyard2 for sguil...maybe not the best
way, but eh...I want to have a couple frontends to work with for
reporting and whatnot.  Thanks gents.

 

james

 

From: Matthew Jonkman [mailto:jonkman at ...15020...] 
Sent: Monday, August 01, 2011 9:11 AM
To: Lay, James
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] BASE sensor name

 

That's normal behavior actually. Used to have the issue long ago.

 

If you change the bpf filter it'll create a new sensor instance in the
db each time. A bit annoying, but likely useful in retrospect when
investigating to know what the bpf was.

 

This may be different if you use barnyard for your sql connection
though, which is more effective anyway. (assuming you're not already?)

 

Matt

 

On Aug 1, 2011, at 11:04 AM, Lay, James wrote:





Heh...me either Joel...first time.  I'll give that filter file a shot
though...sounds like just what I need.  Thank you.  Here's a
snap...really wild.

 

http://i290.photobucket.com/albums/ll269/DigiDemon/MWSnap035.jpg

 

James

 

From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Monday, August 01, 2011 8:47 AM
To: Lay, James
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] BASE sensor name

 

Huh.  Never heard that one before James.

 

How are you logging?  (output method)

 

You might want to try loading the bpf in a file and then calling the
file through -F

 

Joel

 

On Aug 1, 2011, at 10:42 AM, Lay, James wrote:






Hey all!

 

Real quick...seems like when I start snort with a tcpdump style filter
(snort -c snort.conf "ip and not host blah blah blah") my sensor name
shows up as the sensorname:interface:tcpdumpfilter.  Anyone else seen
anything like this?  It's not a complete pain...just looks kinda dumb ;)
Didn't see any fixes after googling, so I thought I'd ask here.  Thanks
all..have a great week J

 

James

------------------------------------------------------------------------
------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

 


----------------------------------------------------
Matthew Jonkman

Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110801/417e7c86/attachment.html>


More information about the Snort-users mailing list