Home page logo
/

snort logo Snort mailing list archives

Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf
From: Joel Esler <joel.esler () me com>
Date: Tue, 30 Nov 2010 19:21:54 -0500

Is it because with the #2 line, your output is to console? "-A console",
remember command line overrides the snort.conf output lines.

J

On Tue, Nov 30, 2010 at 7:02 PM, Jun Wan <junwei_wan () hotmail com> wrote:

 Hi,

BASE is not maintained, as well as it's lack of docs, so I choose Snort
Report (SR).  I have got lots of help from David Gullett, David has done a
wonderful job,  thanks David.

Two issues on *Snort2.8.6.0 with SR 1.3* are very *strange*, I thought you
guys may be interested to know, please see the followings:

*1.)* If I do following commands:

sudo /usr/local/snort/bin/snort -D -u snort -g snort -c
/usr/local/snort/etc/snort.conf -i eth0
sudo /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G
/usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d
/var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo

The results: the activated rules on emerging.conf and settings on
threshold.conf *are* *not working,* but the SR is working, snort is
running with VRT rules *only* (*not *running ET rules&threshold.conf )

*2.) or *If I do the following command:

 sudo /usr/local/snort/bin/snort -u snort -g snort -c
/usr/local/snort/etc/snort.conf -i eth1 -A console

The results: the activated rules on emerging.conf and settings on
threshold.conf *are working,* but the SR is *not working *(no data), and
snort is running with VRT rules *and* ET rules *and* threshold.conf .

Same issues happen to Snort 2.9.0 with SR1.3.

I would like to solve these issues before I put Snort 2.8.6 &2.9.0 with SR
1.3 into our live network.

Any information/idea/direction would be highly appreciated.

Regards

John




-- 
Joel Esler
http://blog.joelesler.net
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]