[Snort-users] trying this again (UNCLASSIFIED)

beenph beenph at ...11827...
Fri Dec 14 20:41:39 EST 2012

On Fri, Dec 14, 2012 at 8:18 PM, beenph <beenph at ...11827...> wrote:
Oups my previous message was incomplete!
I added the missing part below.

> So when I downloaded the new rules from pulled pork, and commented out
the test rule, should the rules
> downloaded from pulled pork not have had a revision with it already?
Yes but not in the test rule that you created.

> I'm going to have to go into a thousand files >and manually add
>"rev:(some number)" to them all in order for it to work?
> That seems really ridiculous.  And would I have to do this manually every
time the rules are updated?
Thousand of files?
What happen is that you probably ran snort a few time with your test rule
(started and stoped it) and this
probably has generated a few unified2 file. Since those file contain events
with a signature with a revision of 0 you will need
delete those before processing new unified2 file.

>The last thing about the -G and -S options, I'm totally lost.  I'm just
running it how the guide told me to, with those options.
>You're saying that at this point, the -G -S options are not allowing
barnyard2 to write the data to mysql?

Well mabey but you should read back what i said and also read the barnyard2
help for the different command line
What i wanted to highlight is that since you specified the -G options and
-S options you should comment the analog configuration
file directives in barnyard2.conf file OR, do not provide the -G and -S
command line argument and use the configuration directives,
else you will get the "signature duplicate warning" when using the database
output plugin.

I hope this clarify some stuff that could have been obscure.

Sorry for the 2 e-mail on the same reply.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121214/21b327c0/attachment.html>

More information about the Snort-users mailing list