Snort mailing list archives

Re: A lot of warning when IDS scan

From: Russ via Snort-users <snort-users () lists snort org>
Date: Tue, 17 Jul 2018 14:25:12 -0400

Hi Dorian,

This comes down to tuning your conf.  Specifically:

1.  If you aren't using SO rules, then comment out:

 dynamicdetection directory /usr/local/lib/snort_dynamicrules

2.  If you aren't running inline, then comment out:

preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

3. Flowbits warnings are a little trickier to sort out but you can giveit go. Just comment out the offending rules or uncomment the missingrules. For examples, look at earlier messages on the list. It came upnot too long ago.


Hope that helps.
Russ

On 7/16/18 10:56 AM, Dorian ROSSE wrote:

Dear IT Snort Community,

I have all this Warning problem when I want to run a IDS scan that Iwill be happy if repaired :

WARNING: No dynamic libraries found in directory/usr/lib/snort_dynamicrules

WARNING: ip4 normalizations disabled because not inline.
WARNING: tcp normalizations disabled because not inline.
WARNING: icmp4 normalizations disabled because not inline.
WARNING: ip6 normalizations disabled because not inline.
WARNING: icmp6 normalizations disabled because not inline.
WARNING: flowbits key 'ms_sql_seen_dns' is checked but not ever set.

WARNING: flowbits key 'smb.tree.create.llsrpc' is set but not everchecked.


Thank you in advance to repair all this problems

Regards.


Dorian ROSSE.


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

A lot of warning when IDS scan Dorian ROSSE (Jul 17)
- Re: A lot of warning when IDS scan Russ via Snort-users (Jul 18)