[Discussion] Problem with output of unified2 for banayard2

Miler Alberto Garcia Villanueva phl4kx at gmail.com
Tue May 25 22:38:00 UTC 2010


Addition information:

classification.config
----------------
config classification: attempted-recon,Attempted Information Leak,2


barnyard2.config
----------------
config reference_file:      /usr/local/etc/suricata/reference.config
config classification_file: /usr/local/etc/suricata/classification.config
config gen_file:            /usr/local/etc/suricata/gen-msg.map
config sid_file:            /usr/local/etc/suricata/sid-msg.map

all the path are correct.



Run Barnyard2
----------------
barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/suricata -f
unified2.alert

   ______   -*> Barnyard2 <*-
  / ,,_  \  Version 2.1.9-beta1 (Build 251)



2010/5/25 Miler Alberto Garcia Villanueva <phl4kx at gmail.com>:
> Hi all, recently I have a problem with the output of unified2 when
> banyard2 read the unified2.alert.* files, the problem is that
> barnyard2 can read the unified2.alert.* files of suricata log  but
> cant identify what is the classification, the alert output is like
> this in barnyard:
>
> <bridge0> ET SCAN NMAP -sS window 4096  [**] [Classification ID:
> (null)] [Priority ID: 3]
>
> Classification ID: null   and priority of 3,
>
> The output of alert and fast.log of suricata identify correctly the
> classification,
>
> I contact with developers of banyard2 and say me that maybe is a
> problem with the log (unified2.alert.* files) generated by suricata
>
> Thanks a lot
>
> Miler
>



More information about the Discussion mailing list