[Snort-devel] Problem with latest ruleset?

Keith McDuffee keithm at ...211...
Fri Jan 19 10:36:31 EST 2001


Okay I'm willing to give this a shot.  What do you suggest I turn on for
debugging?  These alerts are killing me...

----- Original Message -----
From: "Martin Roesch" <roesch at ...48...>
To: "Keith McDuffee" <keith.mcduffee at ...209...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Thursday, January 18, 2001 1:02 AM
Subject: Re: [Snort-devel] Problem with latest ruleset?


> Anyone else seen this?  I hate these ones, they're really hard to
> debug...
>
> One thing you might try doing to see what's happening is turn on some of
> the DEBUG output in rules.c and see which rule's it's firing on.  If we
> can't make any progress from other users experiences we'll have to try
> that.
>
>     -Marty
>
> Keith McDuffee wrote:
> >
> > I'm seeing a LOT of messages in my log files that look like the
following:
> >
> > Jan 16 15:12:45 host0 snort[10629]: ALERT: 204.60.171.10:9426 ->
> > 192.168.1.104:80
> > Jan 16 15:12:47 host0 snort[10629]: ALERT: 204.60.171.10:9493 ->
> > 192.168.1.104:80
> >
> > What confuses me is that there's no details associated with the "ALERT",
so
> > I have no idea what rule this is matching to. I noticed in "log.c" that
this
> > happens when a rule is matched that does not have a msg attribute
attached
> > to it. I scoured the rules I have, and I can find nothing without a msg
> > attribute.
> >
> > This is using the latest full ruleset supplied by snort.org, running on
> > snort 1.7 on OpenBSD 2.6.  This does not happen with the previous
ruleset
> > from December 2K.
> >
> > Any help greatly appreciated!
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
>
> --
> Martin Roesch
> roesch at ...48...
> http://www.snort.org
>
>





More information about the Snort-devel mailing list