[Snort-devel] Problem with latest ruleset?

Martin Roesch roesch at ...48...
Thu Jan 18 01:02:55 EST 2001


Anyone else seen this?  I hate these ones, they're really hard to
debug...

One thing you might try doing to see what's happening is turn on some of
the DEBUG output in rules.c and see which rule's it's firing on.  If we
can't make any progress from other users experiences we'll have to try
that.

    -Marty

Keith McDuffee wrote:
> 
> I'm seeing a LOT of messages in my log files that look like the following:
> 
> Jan 16 15:12:45 host0 snort[10629]: ALERT: 204.60.171.10:9426 ->
> 192.168.1.104:80
> Jan 16 15:12:47 host0 snort[10629]: ALERT: 204.60.171.10:9493 ->
> 192.168.1.104:80
> 
> What confuses me is that there's no details associated with the "ALERT", so
> I have no idea what rule this is matching to. I noticed in "log.c" that this
> happens when a rule is matched that does not have a msg attribute attached
> to it. I scoured the rules I have, and I can find nothing without a msg
> attribute.
> 
> This is using the latest full ruleset supplied by snort.org, running on
> snort 1.7 on OpenBSD 2.6.  This does not happen with the previous ruleset
> from December 2K.
> 
> Any help greatly appreciated!
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list