Snort mailing list archives
Re: Why can't I see tcp flags for a triggered alert (snort+base)
From: John Huss <john.huss () thebunker net>
Date: Thu, 22 Jan 2009 15:48:27 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I see nothing in any of your pastings that indicate that something wouldn't be operating correctly. You are using barnyard I am assuming? Joel
Hello again Joel, Wow, thank you for continuing to help me - it is very appreciated - I'm completely stuck now and don't know what to try next. Yes I use barnyard and that is adding the alerts to Mysql for me. The config file and runtime args are copied below should that help: - ----- /etc/snort/barnyard.conf ----- config hostname: 1.2.3.4 config interface: eth1 output alert_acid_db: mysql, sensor_id 1, database snort, server 127.0.0.1, user snort, password snort output log_acid_db: mysql, sensor_id 1, database snort, server 127.0.0.1, user snort, password snort - ----- cli-args ----- /usr/bin/barnyard -D -c /etc/snort/barnyard.conf -d /var/log/snort -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -w /var/log/snort/barnyard.waldo -L /var/log/snort -a /var/log/snort/archive -f snort.log -X /var/run/barnyard.pid - - I recall having problems when I setup barnyard in that in Mysql I had no entry in the sensor table. Once I added an entry barnyard was then able to process the snort logs and store alert data. Could I have screwed up something by doing that? *digs out my notes* Here's what I added: insert into sensor set hostname='0.0.0.0', interface='eth1', filter='NULL',detail='1', encoding='0', last_cid='1'; This pc has no ip address configured on interface eth1. Sorry if I'm being stupid and/or have screwed things up! Kind Regards, Johnny -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl4lUoACgkQ3CnaOmsSwV8w8gCgzmit7pC03xxHTGrFPkykY+wE FBAAoK1mKeH1cupT+ayVSv0l3e1a838Z =BHlZ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) pieter claassen (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Shirk Dog (Jan 22)