[Snort-users] trying this again (UNCLASSIFIED)

Peter Bates peter.bates at ...15381...
Fri Dec 14 12:02:09 EST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dear all

On 14/12/2012 16:42, Cass, Mark A CTR (US) wrote:
> I'll need to specify the -f option for barnyard2 and tell it the prefix naming convention of the files it needs to input to log to mysql database?  The reason for the barnyard2 aborting was because the test rule did not have a "rev:xxx" at the top of the text file?  So when I downloaded the new rules from pulled pork, and commented out the test rule, should the rules downloaded from pulled pork not have had a revision with it already?  I'm going to have to go into a thousand files and manually add "rev:(some number)" to them all in order for it to work?  That seems really ridiculous.  And would I have to do this manually every time the rules are updated?

In your snort.conf you'll have a line similar to

output unified2: filename snort.log, limit 128

and probably not enable any other outputs.

Snort when running will then be writing 

snort.log.xxxxx

into a directory specified by -l on the snort command line
or in your snort.conf

Your Barnyard2 command line will then include

- -d /var/log/snort -f snort.log

which relate to your chosen output directory and output filename.

Downloading your rules with PP - the rule files will contain revisions and signature ids
and it should also generate sid-msg.map which is used by Barnyard to map the ids to particular
events when writing to the database.
 
> The last thing about the -G and -S options, I'm totally lost.  I'm just running it how the guide told me to, with those options.  You're saying that at this point, the -G -S options are not allowing barnyard2 to write the data to mysql?

I'm running with -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map
- - obviously the last one is the location of the file generated by PulledPork.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJQy1uRAAoJELhVoVpEMS6RbY0IALcYWrwemdk05heFGdHXD0qU
uxZOR2fa7XZmkqwJeYLVL1amDWXEl9hVBnGBHYjiyYvfAFoSmKcx/foeKl0+nxHJ
Bt6wvlJTSUxrPJNXOWpWZIKwtHJIgG6ndnLoHPqCikinGfeq+x4zCaqJtbuO1xyl
WOk1rRX72qj+V7OfKaEDecv6x4BMcQ0b8x7LVCyEEJrO/2qPModP7YOKwG+19rjE
v36hHkYeNCrO35h8bqfnQEre0c6NgxU2LAiYPqVsTY0NIXFRW4mAsKujODKoeuTO
GZdC8mQJ+S/JNvyLCKPhB8dwywyj1yykzKDSiNySlSJEgt6Q9FCsBaGhJU7HKkA=
=OpKM
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list