[Discussion] Problem with output of unified2 for banayard2
Will Metcalf
william.metcalf at gmail.com
Wed May 26 02:02:23 UTC 2010
Is this all your classification.config has in it? You need the whole
thing. There is something screwy with unified2 where the
non-commented lines have to be in the correct order in the
classification.config
Regards,
Will
On Tue, May 25, 2010 at 5:38 PM, Miler Alberto Garcia Villanueva
<phl4kx at gmail.com> wrote:
> Addition information:
>
> classification.config
> ----------------
> config classification: attempted-recon,Attempted Information Leak,2
>
>
> barnyard2.config
> ----------------
> config reference_file: /usr/local/etc/suricata/reference.config
> config classification_file: /usr/local/etc/suricata/classification.config
> config gen_file: /usr/local/etc/suricata/gen-msg.map
> config sid_file: /usr/local/etc/suricata/sid-msg.map
>
> all the path are correct.
>
>
>
> Run Barnyard2
> ----------------
> barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/suricata -f
> unified2.alert
>
> ______ -*> Barnyard2 <*-
> / ,,_ \ Version 2.1.9-beta1 (Build 251)
>
>
>
> 2010/5/25 Miler Alberto Garcia Villanueva <phl4kx at gmail.com>:
>> Hi all, recently I have a problem with the output of unified2 when
>> banyard2 read the unified2.alert.* files, the problem is that
>> barnyard2 can read the unified2.alert.* files of suricata log but
>> cant identify what is the classification, the alert output is like
>> this in barnyard:
>>
>> <bridge0> ET SCAN NMAP -sS window 4096 [**] [Classification ID:
>> (null)] [Priority ID: 3]
>>
>> Classification ID: null and priority of 3,
>>
>> The output of alert and fast.log of suricata identify correctly the
>> classification,
>>
>> I contact with developers of banyard2 and say me that maybe is a
>> problem with the log (unified2.alert.* files) generated by suricata
>>
>> Thanks a lot
>>
>> Miler
>>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
More information about the Discussion
mailing list