Snort mailing list archives
Re: Lets talk about ....
From: AllowOverride <allowoverride () gmail com>
Date: Sun, 07 Oct 2012 12:52:12 -0700
exactly, and thanks again
--- Begin Message --- From: Peter Bates <peter.bates () ucl ac uk>
Date: Sun, 7 Oct 2012 10:23:54 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 07/10/2012 03:42, PR wrote:1. isnt barnyard2 supposed to be able to allow you to view the sigs/data or just does it say ICMP yadda...If snort is generating unified2 data in snort.log, you can use u2spewfoo snort.log.x to read the contents. If your snort.conf is also doing fast alerting then you'll have the hits in 'alert' as well.2. do need to do anything with my snort.rules, like cat snort.ruleslocal.rules ??This seems to have been asked about a few times recently. You need to include $RULE_PATH/local.rules include $RULE_PATH/snort.rules in your snort.conf. There's an argument for Snort perhaps coming either with a default set of rules or to have all the include lines except for local.rules commented out.3. how do i get data from barnyard2 to my db to view in a pretty browser GUI like base or snortreport, or jpgraph?Barnyard2 should be putting the alerts into your DB if correctly configured, see for example: mysql snort -u snort -p select count(*) from event; If the count is increasing then your alerts are going into the DB. The last time I set up a box from scratch I found the Debian HOWTO from snort.org to be the most clear on different steps: http://www.snort.org/assets/167/IDS_deb_snort_howto.pdf PulledPork downloads the rules and also reads your snort.conf for paths where to put things like Shared Object files, etc. It then either outputs to individual rules which you need to include individually as 'include' in snort.conf or as a single file. Snort then runs and writes the unified2 logfiles. Barnyard2 waits to see u2 files appearing in the place you designate as input and then does its job as output processor - generally outputting to DB as the simpler outputs Snort can still do itself. Rule manager -> IDS -> Output processor -> Alert front-end Lousy ASCII flowchart, I know. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQcUoqAAoJELhVoVpEMS6RyfsIAKSZBqva4mvMGxaX6E8s7qDK EmeDGyGISlZtn4k16FLJERKIzyEbi+PdaRUPUxmpAHgMGUoVHNOu43UihZSuKD6J uO/kzYLR6mIDBsAG78IzaQ3R7RxUqje8oVOGKz+5kQd6htZkTykM7U125//em4fD Y6DZ+FxD7btmKsTAM+kKBAw/1XY/JUs7gbkts4in/F7jVfzuFTu4vBB5XMXXqpC5 18E0wzQovJ8h9bspVAYh2fz8emxTNQ7hM/MhhzozPCQ1DPhnuj2QKs5m6s6nR1cW dIE1wVOh+i3y0h0LjzCZler/2cCv3nofKQmpoqob3QtMWDap6YlyrYrCdgPD9GA= =+ejZ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
--- End Message ---
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Lets talk about .... PR (Oct 06)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 08)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Jeremy Hoel (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Message not available
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... Peter Bates (Oct 07)