[Snort-users] Warning - corrupted waldo file

Peter Bates peter.bates at ...15381...
Sun Oct 7 17:59:01 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 07/10/2012 22:17, AllowOverride wrote:
> 1. so best to remove older snort.logs when i restart snort or 
> pulledpork.pl is run?

When all is running okay, you shouldn't have to remove the older logs.

I have a morning cronjob to run PP that also then does

service snort restart
service barnyard2 restart

- - but PP can do this by itself if you give it the right PID information.

You need to restart barnyard2 after a rule update as sid-msg.map is
updated which is essentially the file that maps the SIDs to names for
barnyard to log the correct information to MySQL - otherwise you start
logging a generic 'Snort Alert xxx'.

> 2. does waldo need to be there right now? i dont think there is
> enough traffic to warrent it...

While you are still testing, each time I would (personally)

stop snort
stop barnyard2
delete (or move out of the way) snort.log/alert/waldo
start snort (a new snort.log should be created)
start barnyard2 (a new waldo file will be made and snort.log
should be processed).

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQcfslAAoJELhVoVpEMS6RVqYIAJXnYw3HhRGpY6a6YqRvHmtl
mbdVEQIlV32E9ptUKT7YUBgWP9nzdxocFur0vt2DxQdrqQgDopb+gHVwwNqbw/dD
7/RfmE7DgAHH7S04smOWRPSWgkhJP2hFHGs76TkggFiKwhRMR9wo/YGwJ7OdXN8M
qpfLgaV0TXvn8d/i9lqKGK+3BWl7xSaKrguEXpJfFGsZO2nDnS5zVKvuMzk6UEht
8VOfrI7/lmR88ydkgCyFw1Ffx2i9p3EwNAFMcyWaX/ooT6mpT/MGIyEB0kzRI72u
KXvC6VnnRFx/JGxUJg8RPZ6vXkuIKXOALdVJdAw5hbMRyX2oFDEHmJcI/F5SCgQ=
=/szU
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list