[Discussion] Problem with output of unified2 for banayard2
firnsy
firnsy at securixlive.com
Wed May 26 09:04:52 UTC 2010
Will, Suricata Team,
Apologies for this appearing out of left field. I was a little more
diplomatic in my response to Miler, indicating that I would investigate
the issue more thoroughly before pointing making any educated
conclusions.
When I find the problem, I'll provide a more thorough bug report (and
most likely a proposed patch)
Regards,
firnsy
On Tue, 2010-05-25 at 21:02 -0500, Will Metcalf wrote:
> Is this all your classification.config has in it? You need the whole
> thing. There is something screwy with unified2 where the
> non-commented lines have to be in the correct order in the
> classification.config
>
> Regards,
>
> Will
>
> On Tue, May 25, 2010 at 5:38 PM, Miler Alberto Garcia Villanueva
> <phl4kx at gmail.com> wrote:
> > Addition information:
> >
> > classification.config
> > ----------------
> > config classification: attempted-recon,Attempted Information Leak,2
> >
> >
> > barnyard2.config
> > ----------------
> > config reference_file: /usr/local/etc/suricata/reference.config
> > config classification_file: /usr/local/etc/suricata/classification.config
> > config gen_file: /usr/local/etc/suricata/gen-msg.map
> > config sid_file: /usr/local/etc/suricata/sid-msg.map
> >
> > all the path are correct.
> >
> >
> >
> > Run Barnyard2
> > ----------------
> > barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/suricata -f
> > unified2.alert
> >
> > ______ -*> Barnyard2 <*-
> > / ,,_ \ Version 2.1.9-beta1 (Build 251)
> >
> >
> >
> > 2010/5/25 Miler Alberto Garcia Villanueva <phl4kx at gmail.com>:
> >> Hi all, recently I have a problem with the output of unified2 when
> >> banyard2 read the unified2.alert.* files, the problem is that
> >> barnyard2 can read the unified2.alert.* files of suricata log but
> >> cant identify what is the classification, the alert output is like
> >> this in barnyard:
> >>
> >> <bridge0> ET SCAN NMAP -sS window 4096 [**] [Classification ID:
> >> (null)] [Priority ID: 3]
> >>
> >> Classification ID: null and priority of 3,
> >>
> >> The output of alert and fast.log of suricata identify correctly the
> >> classification,
> >>
> >> I contact with developers of banyard2 and say me that maybe is a
> >> problem with the log (unified2.alert.* files) generated by suricata
> >>
> >> Thanks a lot
> >>
> >> Miler
> >>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20100526/09ad2e46/attachment.sig>
More information about the Discussion
mailing list