[Snort-users] Problems with snort, Barnyard2 and mysql database

Dmitry Korzhevin dmitry.korzhevin at ...15907...
Tue Oct 30 10:38:52 EDT 2012


Thank you,

After i add "rev:1;" to this rule, and restart snort, barnyard2 - it works!


29.10.2012 16:45, beenph пишет:
> Greetings Dimitry,
>
> The barnyard2 message is explicit but here is that it mean's,
>
> I am assuming you created a test rule with sid:10000001; and msg:"ICMP test";
>
> You will need to also add rev:1; to that rule in its body.
>
> Then stop snort.
> stop barnyard2
>
> Delete all your unified2 file, restart snort and restart barnyard2.
>
>
> Cheers,
> -elz
>
> On Mon, Oct 29, 2012 at 10:37 AM, Dmitry Korzhevin
> <dmitry.korzhevin at ...15907...> wrote:
>> Hello,
>>
>> I use Debian 6.0.6 and install snort, barnyard2, and other stuff using
>> guide: Snort 2.9.3.1 on Debian 6.0.5 by Jason Weir from
>> http://www.snort.org/docs
>>
>> When i make test run of snort with command:
>>
>> /usr/local/bin/snort -A console -q -u snort -g snort -c
>> /etc/snort/snort.conf -i eth0
>>
>> i get normal output:
>>
>> 10/29-15:27:53.814919  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1
>> 10/29-15:27:54.810969  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1
>> 10/29-15:27:55.810942  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {IPV6-ICMP} fe80::21c:42ff:fe6b:a311 -> fe80::ffff:1:1
>> 10/29-15:28:02.370578  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {ICMP} 89.252.56.204 -> 91.250.80.33
>> 10/29-15:28:02.370690  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {ICMP} 91.250.80.33 -> 89.252.56.204
>> 10/29-15:28:03.373918  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {ICMP} 89.252.56.204 -> 91.250.80.33
>> 10/29-15:28:03.374001  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {ICMP} 91.250.80.33 -> 89.252.56.204
>> 10/29-15:28:04.373154  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {ICMP} 89.252.56.204 -> 91.250.80.33
>> 10/29-15:28:04.373243  [**] [1:10000001:0] ICMP test [**] [Priority: 0]
>> {ICMP} 91.250.80.33 -> 89.252.56.204
>>
>> When i run:
>>
>>   /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
>> &
>>
>> to start snort, and then start barnyard2:
>>
>> /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
>> snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S
>> /etc/snort/sid-msg.map -C /etc/snort/classification.config &
>>
>> I get output:
>>
>> http://dpaste.com/820057/
>>
>> Please help
>>
>>
>>
>> Best Regards,
>> Dmitry
>>
>> ---
>> Dmitry KORZHEVIN
>> System Administrator
>> STIDIA S.A. - Luxembourg
>>
>> e: dmitry.korzhevin at ...15907...
>> m: +38 093 874 5453
>> w: http://www.stidia.com
>>
>>
>> ------------------------------------------------------------------------------
>> The Windows 8 Center - In partnership with Sourceforge
>> Your idea - your app - 30 days.
>> Get started!
>> http://windows8center.sourceforge.net/
>> what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin at ...15907...
m: +38 093 874 5453
w: http://www.stidia.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4488 bytes
Desc: ���������������������������������� �������������� S/MIME
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121030/b3581520/attachment.bin>


More information about the Snort-users mailing list