[Snort-users] Fwd: Re: barnyard2-1.10 major problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Thu Oct 25 09:40:25 EDT 2012


Beenph,

As you suggested yesterday to add the following:

"add  --alert-on-each-packet-in-stream in your barnyard2 command line
and it will work as expected."

This does not work, I have a unified2 file from snort that has 4 packets 
along with the alert, but barnyard2-1.10 is only inserting the first packet 
into the snort.data table???

So far we have increased the CACHED_EVENTS_MAX  from 512 to 2048 and again 
to 4096  (did not help)
added: --alert-on-each-packet-in-stream to barnyard2 command line (did not 
help).

What do you suggest now to get barnyard2-1.10 to work as you say it should?
BTW it never worked in barnyard2-1.8 either.

Thanks,
Larry





----- Original Message ----- 
From: "beenph" <beenph at ...11827...>
To: "Jack" <kingofnerds at ...11827...>
Cc: <barnyard2-users at ...14071...>; "snort-users" 
<snort-users at lists.sourceforge.net>
Sent: Thursday, October 25, 2012 9:18 AM
Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem


> On Thu, Oct 25, 2012 at 9:13 AM, Jack <kingofnerds at ...11827...> wrote:
>> ---------- Forwarded message ----------
>> From: "Jack" <kingofnerds at ...11827...>
>> Date: Oct 25, 2012 9:11 AM
>> Subject: Re: [Snort-users] barnyard2-1.10 major problem
>> To: "beenph" <beenph at ...11827...>
>>
>> Last time I enabled the alert on each packet, I just got more alerts, 
>> what
>> I think is being requested is to have all the packets in a single alert 
>> for
>> one event
>
>
>
> On Thu, Oct 25, 2012 at 9:11 AM, Jack <kingofnerds at ...11827...> wrote:
>> Last time I enabled the alert on each packet, I just got more alerts, 
>> what
>> I think is being requested is to have all the packets in a single alert 
>> for
>> one event
>
> Thats not really the way it works.
>
> Since a event can have multiple packet.
>
> At the output plugin level, the output plugin expect a event structure
> and a packet structure.
>
> What the cache does is cache the event structure and when a packet
> matching a previously triggered
> event it will call the output plugin with the associated event
> structure (event record) and the current processed packet.
>
> So its the expected behavior.
>
> The reason i didin't click right away is that the 2.2 spooler like
> this by default. and does not need any command line argument.
>
> -elz
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort 
> news!
> 





More information about the Snort-users mailing list