Home page logo
/

snort logo Snort mailing list archives

Re: Snort won't generate alerts with single snort.rules file
From: SnortFan <SnortFan () yahoo com>
Date: Fri, 14 Mar 2014 20:36:37 -0400

In the bottom if your snort.conf are the included rules files uncommented? Also in the .rules file themselves are the 
rules uncommented?  When you fire up snort either on the screen or in /var/log/messages, do it give you count of rules 
in use (not sure what it's called). 

Thanks,
Ed

Sent from a mobile device. 

On Mar 13, 2014, at 2:34 PM, Anacleto Junior <suporte.anacleto () gmail com> wrote:

I tried using pulledpork with the -k option and it updated my rules folder.

But when I run snort with some rules enabled, I don't get any alerts.

I noticed that it runs with 0 decoder rules.

How can I solve this? If I run snort with a single rule file, it generates alerts but if I run snort with multiple 
rules files, it don't. I'm a bit confused.


Thanks


2014-03-12 12:13 GMT-03:00 SnortFan <SnortFan () yahoo com>:
I pass -E to my pulledpork to have write only the enabled rules to the output files.  

That makes the snort.rules file a lot smaller.  If I want to look into disabled rules, I'll go the the tmp location 
on the server pulling the rules and expand the VRT tar file. In it the rules are broken out into separate files.  

Or you can pass pulled pork a -k to keep the rule files in separate files. 

Cheers,
Ed

Sent from a mobile device. 

On Mar 12, 2014, at 8:04 AM, Anacleto Junior <suporte.anacleto () gmail com> wrote:

Yes, it is growing now. I deleted all the rules on /tmp and re-run pulledpork. I don't know how but now I have some 
decoder rules enabled when I run Snort (just like Michael said) and getting alerts. The problem is: having one 
single rule file is, in my opinion, harder to manage. I have problemas searching for the rules on a single file. 
I'll go through the options on pulledpork to figure it out.


Thanks


2014-03-12 1:04 GMT-03:00 SnortFan <SnortFan () yahoo com>:
Anacleto,
       Going back you your original question:  "Isn't suppose to activate all rules by default?"  

No, it will activate a default set of rules. If you look in the snort.rules file, the ones uncommented are the 
active ones. 

Does your output unified file grow as snort runs?  Mine is located at /var/log/snort/. It's location is defined in 
your snort.conf file. 

Cheers,
Ed

Sent from a mobile device. 

On Mar 6, 2014, at 9:19 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:

That's why you are getting the dupe rules warning.  That's normal. 


--
Joel Esler
Sent from my iPad

On Mar 6, 2014, at 6:42 PM, "Anacleto Junior" <suporte.anacleto () gmail com> wrote:

Joel,

Yes, I'm using the registered user ruleset and the community ruleset.


2014-03-06 19:22 GMT-03:00 Joel Esler (jesler) <jesler () cisco com>:


On Feb 28, 2014, at 12:21, "Anacleto Junior" <suporte.anacleto () gmail com> wrote:

I got some errors like:
WARNING: /etc/snort/rules/snort.rules(15678) GID 1 SID 24017 in rule duplicates previous rule. Ignoring old 
rule.

Are you using the registered ruleset and the community ruleset?  



-- 
Anacleto Júnior
Analista de TI e Redes
Linux User: #447388

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Anacleto Júnior
Analista de TI e Redes
Linux User: #447388

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Anacleto Júnior
Analista de TI e Redes
Linux User: #447388

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault