Home page logo

snort logo Snort mailing list archives

Re: MySQL support for Snort 2.9.4
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 11 Dec 2012 16:41:06 -0500

On Tue, Dec 11, 2012 at 09:26:55PM +0000, Kaya Saman wrote:
On 12/11/2012 07:11 PM, Joel Esler wrote:
You aren't generating any alerts because of:

On Dec 11, 2012, at 2:06 PM, Kaya Saman <kayasaman () gmail com
<mailto:kayasaman () gmail com>> wrote:

Bad Chk Sum:      9421212 ( 50.311%)

Try adding -k none to your Snort command line and see if you get
anything logged that way.

Action Stats:
   Alerts:            0 (  0.000%)
   Logged:            0 (  0.000%)
   Passed:            0 (  0.000%)

See, nothing alerted.

you might want to use PulledPork to manage your ruleset, as it
looks like you have a bunch of unresolved flowbit issues.

Thanks Joel,

I used PulledPork but it didn't get any of the *.rules files that
are in the tar.gz file. I manually added them in then ran PP again
out of which I got:

Reading rules...
Reading rules...
Reading rules...
Setting Flowbit State....
        Enabled 23 flowbits
        Enabled 1 flowbits
Writing /etc/snort/rules/snort.rules....
Writing /etc/snort/rules/so_rules.rules....
Generating sid-msg.map....
Writing /etc/snort/sid-msg.map....
Writing /var/log/sid_changes.log....
Rule Stats....
        Enabled Rules:----16879
        Dropped Rules:----0
        Disabled Rules:---14849
        Total Rules:------31728

I still get the flow bit errors as PP from above only enabled 24.

In the log file I noticed that I got a bunch of "unkown message"
entries so I don't know if that's got anything to do with it?

It would help if you'd post the errors you received.

Using the -k none option as suggested previously I don't get any
more 'Bad chck sum' errors but I still don't get anything logged

Well if you are evaluating all the traffic, then you might not have anything for Snort to trigger off of.  But let's 
keep checking to be sure.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]