Just updated to Snort 2.8.6, Base 1.4.5. Use oinkmaster to update signatures, use create-sidmap.pl to create sidmap and barnyard to upload from sensors to base mysql db.
Barnyard called w/
/usr/local/bin/barnyard -D -c /etc/snort/barnyard.conf -d /var/log/snort -s /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -w /etc/snort/barnyard.bookmark -n -X /var/run/barnyard.pid -f snort_unified.log
~$ grep 16408 /etc/snort/sid-msg.map
16408 || DOS Microsoft Windows TCP SACK invalid range denial of service attempt || url,www.microsoft.com/technet/security/bulletin/MS10-009.mspx || cve,2010-0242
Even though the sids are defined in sid-msg.map and barnyard is pointing to sid-msg.map in its start up, base is still showing:
Snort Alert attempted-dos as the alert name.
Does anyone have any ideas?
Hi! Please check your `alerts` table in the database to ensure that the signature name is being populated there by BY. I suspect that BY is not correctly reading the sid-msg.map.