Ah, that would explain it. Weird...I just checked my barnyard.conf file (just to make sure that I wasn't imagining things) and it does indeed say "output alert_fast". Very strange. Anyway, thanks for your help. I'm making the change to my OSSEC config as I type this. On a side note, I'm the guest lecturer in the Intrusion Detection class at the University of Illinois at Springfield tonight and I'm going to be espousing the virtues of OSSEC used in conjunction with Snort. Kurt perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print" ----- Society doesn't understand me and technology fears me.
----- Original Message ---- From: Daniel Cid <[EMAIL PROTECTED]> To: [email protected] Cc: Kurt <[EMAIL PROTECTED]> Sent: Tuesday, November 14, 2006 2:58:58 PM Subject: [ossec-list] Re: Snort Decoder Hi Kurt, This is not the snort fast output what you have in there, but the snort full one (or something similar). Maybe barnyard is messing things around.. Try configuring ossec to read it as "snort-full" instead of "snort-fast" to see if it works (it should). Just change the log_format for the alert file to be: <log_format>snort-full</log_format> The snort-fast is a one event per line log, like that: 01/13-14:55:40.175329 [**] [1:1420:11] SNMP trap tcp [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.10.100.1:61962 -> 10.10.100.2:162 Let us know if it works or not.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 11/14/06, Kurt <[EMAIL PROTECTED]> wrote: > > Ok. I was using that test rule to illustrate my point, but in the interest of > not getting issues mixed up, here is the same point illustrated with properly > configured Snort/Barnyard/OSSEC: > > Here are two alerts from the Snort fast.alert file: > ------------------------------------------------------------------------ > 10/31/06-04:20:48.597375 {TCP} 10.11.10.23:15104 -> 10.7.3.11:139 > [**] [1:250:4] DDOS mstream handler to client [**] > [Classification: Attempted Denial of Service] [Priority: 2] > [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138] > ------------------------------------------------------------------------ > 10/31/06-08:59:46.876833 {TCP} 207.99.46.25:80 -> 10.11.10.23:16273 > [**] [1:8443:1] WEB-CLIENT Mozilla regular expression heap corruption attempt > [**] > [Classification: Attempted User Privilege Gain] [Priority: 1] > [Xref => http://www.securityfocus.com/bid/20042] > [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4566] > ------------------------------------------------------------------------ > > And here are those alerts as picked up by OSSEC: > ** Alert 1163192895.15466: > 2006 Oct 31 04:20:50 infosec2->/var/log/snort/fast.alert > Rule: 20101 (level 6) -> 'IDS event.' > Src IP: (none) > User: (none) > [**] [1:250:4] DDOS mstream handler to client [**] > > ** Alert 1163192895.15668: > 2006 Oct 31 08:59:51 infosec2->/var/log/snort/fast.alert > Rule: 20101 (level 6) -> 'IDS event.' > Src IP: (none) > User: (none) > [**] [1:8443:1] WEB-CLIENT Mozilla regular expression heap corruption attempt > [**] > > OSSEC is apparently not picking up the source IP, and from what I can tell > from the Snort decoder file, it is also supposed to be picking up the > destination IP, is that correct? > > Kurt > perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print" > ----- > Society doesn't understand me and technology fears me. > > ----- Original Message ---- > From: Will Metcalf <[EMAIL PROTECTED]> > To: [email protected] > Sent: Tuesday, November 14, 2006 7:43:19 AM > Subject: [ossec-list] Re: Snort Decoder > > > if you are adding rules you need to update sid-msg.map, look at the > file it isn't that complicated. If you want to map alerts from the > decoder/preprocs you need to point barnyard to your gen-msg.map..... > > Regards, > > Will > > > > > > > ____________________________________________________________________________________ > Do you Yahoo!? > Everyone is raving about the all-new Yahoo! Mail beta. > http://new.mail.yahoo.com > ____________________________________________________________________________________ Sponsored Link Rates near historic lows - $200,000 mortgage for $660/ month - http://yahoo.ratemarketplace.com
