Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort_inline + barnyard2 + base

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 29 Apr 2010 17:48:13 -0400
Try unified. Not unified 2. Just to eliminate that idea.

--
Joel Esler
Sent from my iPhone

On Apr 29, 2010, at 3:56 PM, Fábio Ferrão <ferrao04 () gmail com> wrote:


Guys,

I have a FreeBSD 7.2-stable.
I have installed snort-2.8.5.3 with enable-inline and enable-ipfw and I have barnyard2-1.7 The snort and barnyard2 initialize successfully. The snort record alerts in snort.u2 (binary alerts) and barnyard2 forward the alerts to database. 

snort.conf
output unified2: filename snort.u2, limit 128

barnyard2.conf
input unified2
output database: log, mysql, user=snort password=xxxxx dbname=snort_bd host=10.10.10.100 sensor_name=fw1
My problem is: I only see in my BASE portscan preprocessor alerts (portscan: TCP Portscan, portscan: TCP Decoy Portscan, portscan: TCP Distributed Portscan and etc.). When I initialize snort forwarding the alerts to database instead to record in snort.u2 (binary format), I see ALL alerts in BASE. I don't understand!
This problem is only happening when I initialize snort_inline (IPS) + barnyard2. When I initialize snort (IDS) + barnyard2, I see ALL alerts in BASE. 
Can somebody help me?

Thanks.

--
Fábio Ferrão

"E conhecereis a verdade e a verdade vos libertará".    João 8.32
"And you will know the truth and the truth you will free". John 8.32 --- --- --- --------------------------------------------------------------------- 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: