[Snort-users] trying this again (UNCLASSIFIED)
peter.bates at ...15381...
Fri Dec 14 12:02:09 EST 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 14/12/2012 16:42, Cass, Mark A CTR (US) wrote:
> I'll need to specify the -f option for barnyard2 and tell it the prefix naming convention of the files it needs to input to log to mysql database? The reason for the barnyard2 aborting was because the test rule did not have a "rev:xxx" at the top of the text file? So when I downloaded the new rules from pulled pork, and commented out the test rule, should the rules downloaded from pulled pork not have had a revision with it already? I'm going to have to go into a thousand files and manually add "rev:(some number)" to them all in order for it to work? That seems really ridiculous. And would I have to do this manually every time the rules are updated?
In your snort.conf you'll have a line similar to
output unified2: filename snort.log, limit 128
and probably not enable any other outputs.
Snort when running will then be writing
into a directory specified by -l on the snort command line
or in your snort.conf
Your Barnyard2 command line will then include
- -d /var/log/snort -f snort.log
which relate to your chosen output directory and output filename.
Downloading your rules with PP - the rule files will contain revisions and signature ids
and it should also generate sid-msg.map which is used by Barnyard to map the ids to particular
events when writing to the database.
> The last thing about the -G and -S options, I'm totally lost. I'm just running it how the guide told me to, with those options. You're saying that at this point, the -G -S options are not allowing barnyard2 to write the data to mysql?
I'm running with -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map
- - obviously the last one is the location of the file generated by PulledPork.
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users