You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 18, 2024. It is now read-only.
Installation of both Snort and Barnyard2 went smoothly without any errors
What I have done
Created a test rules file to alert on ICMP requests
Checked permissions and ownership of /var/log/snort and everything in it, tried several combinations (especially with permissions) and none of it helped. The current values for ownerships are snort:snort
What happens
Snort triggers the alert when doing a ping request and the /var/log/snort.u2 file is populated (this is good)
After reading a post by beenph I was able to come up with this solution. Basically the sid-msg.map file needs to have the "names" of the variables, something like this: varname,value || varname,value.
This works for me in terms of Barnyard2 not throwing those warnings anymore:
But this is not a real solution because pulledpork does not add those varnames, and when using snort for anything serious it becomes impractical to keep the sid-msg.map up to date
The text was updated successfully, but these errors were encountered:
purefan
changed the title
Barnyard requires sid-msg-map to name the values
Barnyard requires sid-msg-map to name the variables
Feb 10, 2016
I am having the same problem. Did you ever find a solution?
Even when I put the labels I still get an error from mysql. Its not the write error and the logs/alerts are going into the DB. I have only seen it when stopping barnyard2, so maybe its just telling me i disconnected? Odd disconnect message from mysql.
2016-12-08T05:15:53.392026Z 75 [Note] Aborted connection 75 to db: 'database' user: 'mysqluser' host: 'localhost' (Got an error reading communication packets)
Hi, I have two big problems when i configure my IDS. I used snort IDS, barnyard2 with BASE. I don't undestand why when i add a new rule in sid-msg-map and i see the new rule in BASE. BASE show me the alert somethink linke alert[1:10002:]; i can't solve this problem.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
After posting here I decided to open an issue hoping to get more attention.
Background Info
What I have done
/var/log/snort
and everything in it, tried several combinations (especially with permissions) and none of it helped. The current values for ownerships are snort:snortWhat happens
How I "fixed" it
After reading a post by beenph I was able to come up with this solution. Basically the sid-msg.map file needs to have the "names" of the variables, something like this:
varname,value || varname,value
.This works for me in terms of Barnyard2 not throwing those warnings anymore:
But this is not a real solution because pulledpork does not add those varnames, and when using snort for anything serious it becomes impractical to keep the sid-msg.map up to date
The text was updated successfully, but these errors were encountered: