Home page logo
/

snort logo Snort mailing list archives

Re: How rules fire question.
From: "AT&T.Net" <coppage () att net>
Date: Thu, 9 May 2013 11:33:18 -0400

Hi Joe,
     I'm still getting non descriptive alerts. For example "Snort Alert [124:10:1]. I'm wondering if our pulled pork is 
setup correctly. Our Pulledpork server is running on a cent 5.5 and our sensors were upgraded to cent 6.3. 

Everything including the 5.5 box has snort 2.9.4.5 installed on it. In the pulledpork.conf the dist is defined as: 
"distro=Centos-5-4".  Could the distro being defined as 5.4 be the problem and should it be "distro=Centos-6-3"?  Or 
could the Pulledpork server being an old OS be the issue?  

I'm new to snort and this contract and the problem seemed to start happening when they started upgrade from cent 5.5 to 
6.3 and upgrading from an older version of snort. I think we still have a couple of sensors on Cent 5.5 and an older 
version of snort. 

Thanks,
Mike

Sent from mobile device via my thumbs. 

On May 6, 2013, at 2:23 PM, Joel Esler <jesler () sourcefire com> wrote:

Good to hear you got it squared away.


On May 6, 2013, at 1:19 PM, AT&T.Net <coppage () att net> wrote:

Thank Joe,
     In looking how this box was set up, pulled pork is being used on a central server but one of the scripts being 
used to push the rules and that file to all the sensors was pulling from the wrong location and therefore the 
correct Sid file was not being pushed. 

Thanks,
Mike

Sent from mobile device via my thumbs. 

On May 6, 2013, at 11:06 AM, Joel Esler <jesler () sourcefire com> wrote:

On May 6, 2013, at 10:59 AM, "AT&T.Net" <coppage () att net> wrote:

Hi, 
      My snort is giving me an alert for example. Snort Alert [1:24889:0]. When I look at my snort.rules file 
there is rev 1 but not a rev 0. If the last number is referencing the rev, why would it have fired on a non 
existing rev?  I've searched my old archived rules on the server and other rules and don't have that SID with a 
rev 0. 

That rule is at rev:1.  We start all rules at Rev 1.  

So, I am thinking two things

#1 -- You aren't using pulledpork to manage your downloads (which as part of it's download and managing process, it 
creates the sid-msg.map for you)
#2 -- Your barnyard2 instance isn't reading the sid-msg.map file that pulledpork generates.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]