<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Joel,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Finally getting into some documentation! Got the Snort manual
open right now.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>One of the main challenges is I didn’t install any of the
software we use for this: not CentOS, not Snort/Barnyard, none of it. And the
installer didn’t leave a whole lot (read that as “none”) of configuration
management documentation behind on what he did. I can say that mysqld is
running (although I haven’t checked the version yet).<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I just went to the isc.sans.org article you apparently wrote and
am now convinced we need to upgrade to 2.8.4 (as well as barnyard2). I’m
presuming, since CentOS is pretty much a clone of RHEL we can just download the
appropriate RPM and use the normal RPM installation process. Will this
overwrite anything important or will it simply upgrade the code? The only thing
I have to find out, now, is if the DoD client for which we are running this
needs to approve the updates before they are done. Still waiting for the response
to that one.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Also, want to say I really, really appreciate your help and
patience and that of the other Snort old-hand users in the forum. It’s
making my job a lot easier coming up to speed!<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Rich<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Joel Esler
[mailto:jesler@...1935...] <br>
<b>Sent:</b> Friday, August 21, 2009 1:56 PM<br>
<b>To:</b> Richard Lichvar<br>
<b>Cc:</b> snort-users@lists.sourceforge.net<br>
<b>Subject:</b> Re: [Snort-users] Advice on Snort 2.8.x<o:p></o:p></span></p>

</div>

<p class=MsoNormal><o:p> </o:p></p>

<p class=MsoNormal>On Fri, Aug 21, 2009 at 1:47 PM, Richard Lichvar <<a
href="mailto:rlichvar@...14639...">rlichvar@...14639...</a>> wrote:<o:p></o:p></p>

<div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='text-indent:-.25in'>1.<span style='font-size:7.0pt'>      
</span>We are on 2.8.0.2 (Build 75). Is there any real advantage to upgrading
to 2.8.4?<o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal><o:p> </o:p></p>

</div>

<div>

<p class=MsoNormal>There are always advantages to staying current with
software.  Check out the changelog between 2.8.0.2 and 2.8.4.
 Included with 2.8.4.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal> <o:p></o:p></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='text-indent:-.25in'>2.<span style='font-size:7.0pt'>      
</span>Will upgrading Barnyard2 interfere with 2.8.0.2 or should we upgrade to
2.8.4?<o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>Barnyard2 should read the unified output module and input
into your output method desire.  Unified output hasn't changed in quite
some time.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p> </o:p></p>

</div>

<div>

<p class=MsoNormal> <o:p></o:p></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='text-indent:-.25in'>3.<span style='font-size:7.0pt'>      
</span>We seem to be using PCRE version 6.6. What does this tell us?<o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>That you are running PCRE version 6.6.  I don't
understand what you are asking.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal> <o:p></o:p></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='text-indent:-.25in'>4.<span style='font-size:7.0pt'>      
</span>I notice there are MySql and other versions of Snort. How do I tell
whether we are using the MySQL version or not? (We running on CentOS 5.2.)<o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>How did you install Snort?  Through the tarball or via
RPM?  If you installed via the tarball, you would need to check your
config.log file.  If you installed via the RPM, run the command "rpm
-q snort" on the command line.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal> <o:p></o:p></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p> <o:p></o:p></p>

<p>Again, many thanks in advance for helping this Snort newbie.<o:p></o:p></p>

<p> <o:p></o:p></p>

<p><span style='font-size:10.0pt'>RichLich</span><o:p></o:p></p>

<p> <o:p></o:p></p>

</div>

</div>

<p class=MsoNormal><br>
------------------------------------------------------------------------------<br>
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day<br>
trial. Simplify your report design, integration and deployment - and focus on<br>
what you do best, core application coding. Discover what's new with<br>
Crystal Reports now.  <a href="http://p.sf.net/sfu/bobj-july"
target="_blank">http://p.sf.net/sfu/bobj-july</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users"
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users<br>
Snort-users</a> list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users"
target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><o:p></o:p></p>

</blockquote>

</div>

<p class=MsoNormal><o:p> </o:p></p>

<div name="mailplane_signature">

<p class=MsoNormal>-- Joel Esler | Sourcefire | Google Voice: 302-223-5974<o:p></o:p></p>

</div>

</div>

</body>

</html>