[Snortsam-discussion] Snortsam Password mismatch! error

Keith Mitchell the.keithm at gmail.com
Wed May 28 13:38:00 EDT 2008 

Just as an FYI, I setup separate barnyard instances, one polling 
snort.log as below, with an output_log_acid_db, and one polling 
snort.alert with an output alert_fwsam: 127.0.0.1/password.

As before,  barnyard "checks in" with snortsam just fine, but never 
pushes blocks out to it.

Keith Mitchell
CTO
Productivity Associates, Inc.

Keith Mitchell wrote:
> I've got snort setup to output log_unified and alert_unified.
>
> barnyard is run with the following command line:  (example)
>
> /usr/bin/barnyard -c /etc/snort/sensor/barnyard.conf -g 
> /etc/snort/gen-msg.map -s /etc/snort/sensor/sid-msg.map -f snort.log 
> -w /var/log/snort/snort-sensor/waldo.file -p 
> /etc/snort/sensor/classification.config -X 
> /var/run/barnyard-sensor.pid -L /var/log/snort/snort-sensor -a 
> /var/log/snort/snort-sensor/OLD -d /var/log/snort/snort-sensor -D
>
> barnard.conf has the following output lines:
>
> output alert_acid_db: mysql, sensor_id 1, database snort, server 
> localhost, username username, password password
> output log_acid_db: mysql, sensor_id 1, database snort, server 
> localhost, username username, password password
>
> output alert_fwsam: 127.0.0.1/password
>
> Should I rem out the output alert_acid_db?
>
> Frank Knobbe wrote:
>> On Thu, 2008-05-08 at 11:12 -0700, Keith Mitchell wrote:
>>   
>>> Yeah no errors.  Checkin successful, then nothing.
>>>
>>> Events are being logged into mysql by barnyard though.
>>>
>>> And I've seen events come through in the logs that are tagged in my
>>> sid-block.map file.
>>>     
>>
>> Remember, Snortsam is an *alert* output plugin. If you run Barnyard in
>> log mode, it won't trigger the block. Can you check how BY is
>> configured/run?
>>
>> -Frank
>>
>>
>> _______________________________________________
>> Snortsam-discussion mailing list
>> Snortsam-discussion at snortsam.net
>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>>
>>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20080528/ff66171a/attachment.html

More information about the Snortsam-discussion mailing list