[Snort-users] Warning - corrupted waldo file
peter.bates at ...15381...
Sun Oct 7 17:59:01 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 07/10/2012 22:17, AllowOverride wrote:
> 1. so best to remove older snort.logs when i restart snort or
> pulledpork.pl is run?
When all is running okay, you shouldn't have to remove the older logs.
I have a morning cronjob to run PP that also then does
service snort restart
service barnyard2 restart
- - but PP can do this by itself if you give it the right PID information.
You need to restart barnyard2 after a rule update as sid-msg.map is
updated which is essentially the file that maps the SIDs to names for
barnyard to log the correct information to MySQL - otherwise you start
logging a generic 'Snort Alert xxx'.
> 2. does waldo need to be there right now? i dont think there is
> enough traffic to warrent it...
While you are still testing, each time I would (personally)
delete (or move out of the way) snort.log/alert/waldo
start snort (a new snort.log should be created)
start barnyard2 (a new waldo file will be made and snort.log
should be processed).
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users