[Snort-users] Warning - corrupted waldo file

Jeremy Hoel jthoel at ...11827...
Sun Oct 7 19:12:17 EDT 2012


That's fine.. that's how I do it.
On Oct 7, 2012 4:40 PM, "AllowOverride" <allowoverride at ...11827...> wrote:

> **
> is this ok in snort.conf?
>
> # site specific rules
> include $RULE_PATH/local.rules
> include $RULE_PATH/snort.rules
>
> the rest are #
>
> #include $RULE_PATH/attack-responses.rules
> #include $RULE_PATH/backdoor.rules
> #include $RULE_PATH/bad-traffic.rules
> #include $RULE_PATH/blacklist.rules
> #include $RULE_PATH/botnet-cnc.rules
> ........
>
>
> ur thoughts?
>
>
> ---------- Forwarded message ----------
> From: Peter Bates <peter.bates at ...15381...>
> To:
> Cc: <snort-users at lists.sourceforge.net>
> Date: Sun, 7 Oct 2012 22:59:01 +0100
> Subject: Re: [Snort-users] Warning - corrupted waldo file
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 07/10/2012 22:17, AllowOverride wrote:
> > 1. so best to remove older snort.logs when i restart snort or
> > pulledpork.pl is run?
>
> When all is running okay, you shouldn't have to remove the older logs.
>
> I have a morning cronjob to run PP that also then does
>
> service snort restart
> service barnyard2 restart
>
> - - but PP can do this by itself if you give it the right PID information.
>
> You need to restart barnyard2 after a rule update as sid-msg.map is
> updated which is essentially the file that maps the SIDs to names for
> barnyard to log the correct information to MySQL - otherwise you start
> logging a generic 'Snort Alert xxx'.
>
> > 2. does waldo need to be there right now? i dont think there is
> > enough traffic to warrent it...
>
> While you are still testing, each time I would (personally)
>
> stop snort
> stop barnyard2
> delete (or move out of the way) snort.log/alert/waldo
> start snort (a new snort.log should be created)
> start barnyard2 (a new waldo file will be made and snort.log
> should be processed).
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJQcfslAAoJELhVoVpEMS6RVqYIAJXnYw3HhRGpY6a6YqRvHmtl
> mbdVEQIlV32E9ptUKT7YUBgWP9nzdxocFur0vt2DxQdrqQgDopb+gHVwwNqbw/dD
> 7/RfmE7DgAHH7S04smOWRPSWgkhJP2hFHGs76TkggFiKwhRMR9wo/YGwJ7OdXN8M
> qpfLgaV0TXvn8d/i9lqKGK+3BWl7xSaKrguEXpJfFGsZO2nDnS5zVKvuMzk6UEht
> 8VOfrI7/lmR88ydkgCyFw1Ffx2i9p3EwNAFMcyWaX/ooT6mpT/MGIyEB0kzRI72u
> KXvC6VnnRFx/JGxUJg8RPZ6vXkuIKXOALdVJdAw5hbMRyX2oFDEHmJcI/F5SCgQ=
> =/szU
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121007/dd92ed58/attachment.html>


More information about the Snort-users mailing list