[Snort-devel] Fwd: Re: [Snort-users] FTP USER overflow attempt alerts, no logged packets.
cmg at ...402...
Wed Aug 7 11:29:01 EDT 2002
Dolfred Mascarenhas <dolfredm at ...398...> writes:
> I'm getting the same behavior. This rule will alert, but there will
> be on packet logs. This is on a RH7.2 system running Snort 1.8.7
> installed from the RH RPM (binary). I'm starting snort with
> "/usr/sbin/snort -D
> -z -I -o -i eth1 -d -l /b/log -c /etc/snort/snort.conf". The eth1
> interface is a 'stealth listen' set-up with no IP configured. There
> doesn't seem to be any filesystem problems in the logging directory
> (out of inodes, etc). Other rules are logging. This problem appeared
> when I upgraded from snort 1.8.6 to snort 1.8.7. Seems to be a bug
> introduced into 1.8.7. 1.8.6 didn't have any of these packet logging
> problems for me. I couldn't see anything in the conf file which would
> cause ftp rules not to be logged (no specially defined type w/ output
> option, etc). So this appears to be a bug in snort, or perhaps the
> telnet_decode preprocessor which handles FTP sessions also.
Do you see the same behavior in 1.9.0beta2?
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
More information about the Snort-devel