[Discussion] Problem with output of unified2 for banayard2

firnsy firnsy at securixlive.com
Wed May 26 05:04:52 EDT 2010


Will, Suricata Team,

Apologies for this appearing out of left field. I was a little more
diplomatic in my response to Miler, indicating that I would investigate
the issue more thoroughly before pointing making any educated
conclusions.

When I find the problem, I'll provide a more thorough bug report (and
most likely a proposed patch)

Regards,
firnsy

On Tue, 2010-05-25 at 21:02 -0500, Will Metcalf wrote:
> Is this all your classification.config has in it?  You need the whole
> thing.  There is something screwy with unified2 where the
> non-commented lines have to be in the correct order in the
> classification.config
> 
> Regards,
> 
> Will
> 
> On Tue, May 25, 2010 at 5:38 PM, Miler Alberto Garcia Villanueva
> <phl4kx at gmail.com> wrote:
> > Addition information:
> >
> > classification.config
> > ----------------
> > config classification: attempted-recon,Attempted Information Leak,2
> >
> >
> > barnyard2.config
> > ----------------
> > config reference_file:      /usr/local/etc/suricata/reference.config
> > config classification_file: /usr/local/etc/suricata/classification.config
> > config gen_file:            /usr/local/etc/suricata/gen-msg.map
> > config sid_file:            /usr/local/etc/suricata/sid-msg.map
> >
> > all the path are correct.
> >
> >
> >
> > Run Barnyard2
> > ----------------
> > barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/suricata -f
> > unified2.alert
> >
> >   ______   -*> Barnyard2 <*-
> >  / ,,_  \  Version 2.1.9-beta1 (Build 251)
> >
> >
> >
> > 2010/5/25 Miler Alberto Garcia Villanueva <phl4kx at gmail.com>:
> >> Hi all, recently I have a problem with the output of unified2 when
> >> banyard2 read the unified2.alert.* files, the problem is that
> >> barnyard2 can read the unified2.alert.* files of suricata log  but
> >> cant identify what is the classification, the alert output is like
> >> this in barnyard:
> >>
> >> <bridge0> ET SCAN NMAP -sS window 4096  [**] [Classification ID:
> >> (null)] [Priority ID: 3]
> >>
> >> Classification ID: null   and priority of 3,
> >>
> >> The output of alert and fast.log of suricata identify correctly the
> >> classification,
> >>
> >> I contact with developers of banyard2 and say me that maybe is a
> >> problem with the log (unified2.alert.* files) generated by suricata
> >>
> >> Thanks a lot
> >>
> >> Miler
> >>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20100526/09ad2e46/attachment.bin


More information about the Discussion mailing list