[Snortsam-discussion] Snortsam Password mismatch! error
Keith Mitchell
the.keithm at gmail.com
Fri May 30 17:36:37 EDT 2008
Frank Knobbe wrote:
> On Wed, 2008-05-28 at 10:38 -0700, Keith Mitchell wrote:
>
>> Just as an FYI, I setup separate barnyard instances, one polling
>> snort.log as below, with an output_log_acid_db, and one polling
>> snort.alert with an output alert_fwsam: 127.0.0.1/password.
>>
>> As before, barnyard "checks in" with snortsam just fine, but never
>> pushes blocks out to it.
>>
>
> Yeah, that's because the stock BY patch is sorta broken. The path for
> sid-block.map is assembled (during the command line parsing) *after* the
> config file is read (which is too late).
>
> See the link JJ just posted to his blog. He has a BY hack-patch that
> will hardcode the path for sid-block.map. And I think there was one more
> hack in there... anyway, after applying that, BY should function fine.
>
>
> It's interesting though. The BY patch has been around for ages but only
> been recently rediscovered. Eventually I'll come up with a cleaner fix
> for it and get it in shape. Until then, use JJ's hack.
>
> Regards,
> Frank
>
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
>
Ironically enough, I actually used JJ's patch on my BY. It was his faq
I followed to set this whole thing up. :-).
I also installed a barnyard_byte_neutral_patch I found from somewhere
because barnyard kept choking on snort 2.8.1 unified logs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20080530/c4be38a0/attachment.html
More information about the Snortsam-discussion
mailing list