[Snortsam-discussion] Snortsam Password mismatch! error

Keith Mitchell the.keithm at gmail.com
Fri May 30 17:48:49 EDT 2008 

It's FC8 x64.  The snortsam / barnyard were compiled on FC8 i386 due to 
previously discussed problems with snortsam and 64-bit code.

I've double-checked all the pathing, as barnyard previously core-dumped 
if the pathing was at all incorrect.


JJ Cummings wrote:
> Yeah, then it must be that there is a path issue, double check the 
> location and make sure that it all matches up...
>
> I am using the latest by (patched) with snort 2.8.1 and just today 
> 2.8.2 without issue...  what distro is this running on?
>
> J
>
> Keith Mitchell wrote:
>> Frank Knobbe wrote:
>>> On Wed, 2008-05-28 at 10:38 -0700, Keith Mitchell wrote:
>>>   
>>>> Just as an FYI, I setup separate barnyard instances, one polling
>>>> snort.log as below, with an output_log_acid_db, and one polling
>>>> snort.alert with an output alert_fwsam: 127.0.0.1/password. 
>>>>
>>>> As before,  barnyard "checks in" with snortsam just fine, but never
>>>> pushes blocks out to it.
>>>>     
>>>
>>> Yeah, that's because the stock BY patch is sorta broken. The path for
>>> sid-block.map is assembled (during the command line parsing) *after* the
>>> config file is read (which is too late).
>>>
>>> See the link JJ just posted to his blog. He has a BY hack-patch that
>>> will hardcode the path for sid-block.map. And I think there was one more
>>> hack in there... anyway, after applying that, BY should function fine.
>>>
>>>
>>> It's interesting though. The BY patch has been around for ages but only
>>> been recently rediscovered. Eventually I'll come up with a cleaner fix
>>> for it and get it in shape. Until then, use JJ's hack.
>>>
>>> Regards,
>>> Frank
>>>
>>>
>>> _______________________________________________
>>> Snortsam-discussion mailing list
>>> Snortsam-discussion at snortsam.net
>>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>>>
>>>   
>> Ironically enough, I actually used JJ's patch on my BY.  It was his 
>> faq I followed to set this whole thing up.  :-).
>>
>> I also installed a barnyard_byte_neutral_patch I found from somewhere 
>> because barnyard kept choking on snort 2.8.1 unified logs.
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snortsam-discussion mailing list
>> Snortsam-discussion at snortsam.net
>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20080530/fa6c8eaf/attachment-0001.html

More information about the Snortsam-discussion mailing list