[Snortsam-discussion] Snortsam Password mismatch! error

JJ Cummings cummingsj at gmail.com
Fri May 30 17:42:19 EDT 2008 

Yeah, then it must be that there is a path issue, double check the 
location and make sure that it all matches up...

I am using the latest by (patched) with snort 2.8.1 and just today 2.8.2 
without issue...  what distro is this running on?

J

Keith Mitchell wrote:
> Frank Knobbe wrote:
>> On Wed, 2008-05-28 at 10:38 -0700, Keith Mitchell wrote:
>>   
>>> Just as an FYI, I setup separate barnyard instances, one polling
>>> snort.log as below, with an output_log_acid_db, and one polling
>>> snort.alert with an output alert_fwsam: 127.0.0.1/password. 
>>>
>>> As before,  barnyard "checks in" with snortsam just fine, but never
>>> pushes blocks out to it.
>>>     
>>
>> Yeah, that's because the stock BY patch is sorta broken. The path for
>> sid-block.map is assembled (during the command line parsing) *after* the
>> config file is read (which is too late).
>>
>> See the link JJ just posted to his blog. He has a BY hack-patch that
>> will hardcode the path for sid-block.map. And I think there was one more
>> hack in there... anyway, after applying that, BY should function fine.
>>
>>
>> It's interesting though. The BY patch has been around for ages but only
>> been recently rediscovered. Eventually I'll come up with a cleaner fix
>> for it and get it in shape. Until then, use JJ's hack.
>>
>> Regards,
>> Frank
>>
>>
>> _______________________________________________
>> Snortsam-discussion mailing list
>> Snortsam-discussion at snortsam.net
>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>>
>>   
> Ironically enough, I actually used JJ's patch on my BY.  It was his 
> faq I followed to set this whole thing up.  :-).
>
> I also installed a barnyard_byte_neutral_patch I found from somewhere 
> because barnyard kept choking on snort 2.8.1 unified logs.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20080530/35ae888e/attachment.html

More information about the Snortsam-discussion mailing list