[Snort-users] Barnyard2 configuration and event generation

Steve Marotta smarotta at ...16014...
Wed Dec 19 15:05:49 EST 2012


Ah, excellent. So what I'm interested in are the alerts. I looked in /var/log/snort as well as the directory I specified as my logfile directory, and I didn't see any recent alert files. Did I inadvertently disable them in my conf file, or is there another place I should be looking?

From: beenph [mailto:beenph at ...11827...]
Sent: Wednesday, December 19, 2012 1:44 PM
To: Steve Marotta
Cc: snort-users at lists.sourceforge.net; barnyard2-users at ...14071...
Subject: Re: [Snort-users] Barnyard2 configuration and event generation

Thats the syslog output.

-elz


On Wed, Dec 19, 2012 at 1:39 PM, Steve Marotta <smarotta at ...16014...> wrote:
Okay, that's closer. Here, I have an example of the sort of thing that I'm looking for. I have log files generated by some process that is unknown to me, but it's along the lines of the kind of detail that I want. I want to know how to generate output similar to the following:

10/01/06-17:14:08.905284  [**] [1:466:4] ICMP L3retriever Ping [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 100.10.20.7 -> 100.10.20.3
10/01/06-17:14:08.906552  [**] [1:466:4] ICMP L3retriever Ping [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 100.10.20.7 -> 100.10.20.3
10/01/06-17:14:08.909629  [**] [1:3003:4] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.7:3045 -> 100.10.20.3:445
10/01/06-17:14:08.912910  [**] [1:2466:7] NETBIOS SMB-DS IPC$ unicode share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.7:3045 -> 100.10.20.3:445
10/01/06-17:14:14.394597  [**] [1:466:4] ICMP L3retriever Ping [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 100.10.20.8 -> 100.10.20.3
10/01/06-17:14:14.395833  [**] [1:466:4] ICMP L3retriever Ping [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 100.10.20.8 -> 100.10.20.3
10/01/06-17:14:14.398579  [**] [1:3003:4] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.8:3054 -> 100.10.20.3:445
10/01/06-17:14:14.401683  [**] [1:2466:7] NETBIOS SMB-DS IPC$ unicode share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.8:3054 -> 100.10.20.3:445
10/01/06-17:14:20.129381  [**] [1:466:4] ICMP L3retriever Ping [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 100.10.20.10 -> 100.10.20.3
10/01/06-17:14:20.130816  [**] [1:466:4] ICMP L3retriever Ping [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 100.10.20.10 -> 100.10.20.3
10/01/06-17:14:20.133548  [**] [1:3003:4] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.10:3145 -> 100.10.20.3:445
10/01/06-17:14:20.136576  [**] [1:2466:7] NETBIOS SMB-DS IPC$ unicode share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 100.10.20.10:3145 -> 100.10.20.3:445






THIS MESSAGE IS INTENDED FOR THE USE OF THE PERSON TO WHOM IT IS ADDRESSED. IT MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If you are not the intended recipient, your use of this message for any purpose is strictly prohibited. If you have received this communication in error, please delete the message and notify the sender so that we may correct our records.










THIS MESSAGE IS INTENDED FOR THE USE OF THE PERSON TO WHOM IT IS ADDRESSED. IT MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If you are not the intended recipient, your use of this message for any purpose is strictly prohibited. If you have received this communication in error, please delete the message and notify the sender so that we may correct our records.









More information about the Snort-users mailing list