Snort mailing list archives
Re: trying this again (UNCLASSIFIED)
From: beenph <beenph () gmail com>
Date: Fri, 14 Dec 2012 20:41:39 -0500
On Fri, Dec 14, 2012 at 8:18 PM, beenph <beenph () gmail com> wrote:
Oups my previous message was incomplete! I added the missing part below.
So when I downloaded the new rules from pulled pork, and commented out
the test rule, should the rules
downloaded from pulled pork not have had a revision with it already?
Yes but not in the test rule that you created.
I'm going to have to go into a thousand files >and manually add "rev:(some number)" to them all in order for it to work? That seems really ridiculous. And would I have to do this manually every
time the rules are updated?
Thousand of files? What happen is that you probably ran snort a few time with your test rule (started and stoped it) and this probably has generated a few unified2 file. Since those file contain events with a signature with a revision of 0 you will need delete those before processing new unified2 file.
The last thing about the -G and -S options, I'm totally lost. I'm just
running it how the guide told me to, with those options.
You're saying that at this point, the -G -S options are not allowing
barnyard2 to write the data to mysql?
Well mabey but you should read back what i said and also read the barnyard2 help for the different command line option. What i wanted to highlight is that since you specified the -G options and -S options you should comment the analog configuration file directives in barnyard2.conf file OR, do not provide the -G and -S command line argument and use the configuration directives, else you will get the "signature duplicate warning" when using the database output plugin. I hope this clarify some stuff that could have been obscure. Sorry for the 2 e-mail on the same reply. -elz
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- trying this again (UNCLASSIFIED) Cass, Mark A CTR (US) (Dec 13)
- Re: trying this again (UNCLASSIFIED) Rhoades . Jon (Dec 13)
- Re: trying this again (UNCLASSIFIED) Peter Bates (Dec 13)
- Re: trying this again (UNCLASSIFIED) Cass, Mark A CTR (US) (Dec 14)
- Re: trying this again (UNCLASSIFIED) beenph (Dec 14)
- Re: trying this again (UNCLASSIFIED) Cass, Mark A CTR (US) (Dec 14)
- Re: trying this again (UNCLASSIFIED) Peter Bates (Dec 14)
- Re: trying this again (UNCLASSIFIED) beenph (Dec 14)
- Re: trying this again (UNCLASSIFIED) beenph (Dec 14)
- Re: trying this again (UNCLASSIFIED) Rhoades . Jon (Dec 13)