Re: trying this again (UNCLASSIFIED)

[Peter Bates <peter.bates () ucl ac uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dear all

On 14/12/2012 16:42, Cass, Mark A CTR (US) wrote:
> I'll need to specify the -f option for barnyard2 and tell it the prefix naming convention of the files it needs to 
> input to log to mysql database?  The reason for the barnyard2 aborting was because the test rule did not have a 
> "rev:xxx" at the top of the text file?  So when I downloaded the new rules from pulled pork, and commented out the 
> test rule, should the rules downloaded from pulled pork not have had a revision with it already?  I'm going to have 
> to go into a thousand files and manually add "rev:(some number)" to them all in order for it to work?  That seems 
> really ridiculous.  And would I have to do this manually every time the rules are updated?

In your snort.conf you'll have a line similar to

output unified2: filename snort.log, limit 128

and probably not enable any other outputs.

Snort when running will then be writing 

snort.log.xxxxx

into a directory specified by -l on the snort command line
or in your snort.conf

Your Barnyard2 command line will then include

- -d /var/log/snort -f snort.log

which relate to your chosen output directory and output filename.

Downloading your rules with PP - the rule files will contain revisions and signature ids
and it should also generate sid-msg.map which is used by Barnyard to map the ids to particular
events when writing to the database.
 
> The last thing about the -G and -S options, I'm totally lost.  I'm just running it how the guide told me to, with 
> those options.  You're saying that at this point, the -G -S options are not allowing barnyard2 to write the data to 
> mysql?

I'm running with -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map
- - obviously the last one is the location of the file generated by PulledPork.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJQy1uRAAoJELhVoVpEMS6RbY0IALcYWrwemdk05heFGdHXD0qU
uxZOR2fa7XZmkqwJeYLVL1amDWXEl9hVBnGBHYjiyYvfAFoSmKcx/foeKl0+nxHJ
Bt6wvlJTSUxrPJNXOWpWZIKwtHJIgG6ndnLoHPqCikinGfeq+x4zCaqJtbuO1xyl
WOk1rRX72qj+V7OfKaEDecv6x4BMcQ0b8x7LVCyEEJrO/2qPModP7YOKwG+19rjE
v36hHkYeNCrO35h8bqfnQEre0c6NgxU2LAiYPqVsTY0NIXFRW4mAsKujODKoeuTO
GZdC8mQJ+S/JNvyLCKPhB8dwywyj1yykzKDSiNySlSJEgt6Q9FCsBaGhJU7HKkA=
=OpKM
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!