[Snort-devel] 2.1.1 RC1 questions and issues

Jeremy Hewlett jh at ...402...
Tue Feb 10 07:18:07 EST 2004

On Sat, Feb 07, JP Vossen wrote:
> First, a simple one.  The 'time ' option to Performance Statistics is not
> described in the comments or the PDF manual.  I assume it is the interval in
> second between perf. "snapshots" but it'd be nice to have that in writing.

Added in the manual - will get that put up soon. 

> "the" or "a"...   Pick one.

Picked and fixed.

> Next, I may be doing something wrong or missing something, but it seems to me
> that blank lines are not allowed in included files.  That seems very
> counterintuitive and wrong.

You already answered your own question in your other email... does
that mean you should take a penalty drink? :)

> What is 'snort-2.1.1-RC1/etc/sid' supposed to be?  Just wondering.

For tracking the most recently allocated sids

> Where is this threshold coming from? 
> /etc/snort# snort -T -c ./snort.conf 2>&1 | grep -B1  2275
> +-----------------------[thresholding-local]-------------------------------
> | gen-id=1  sig-id=2275   type=Threshold tracking=dst count=5   seconds=60

~/snort/rules/$ grep sid:2275 *
smtp.rules:alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP
AUTH LOGON brute force attempt"; flow:from_server,established;
content:"Authentication unsuccessful"; offset:54; nocase;
threshold:type threshold, track by_dst, count 5, seconds 60;
classtype:suspicious-login; sid:2275; rev:2;)

> When using a MySQL backend, should -T return something like this:
> database: Closing connection to database""
> database: Closing connection to database ""
> database: Closing connection to database ""
> database: Closing connection to database "d/Reserved IP protocol"

I'll look into it and add a bug if necessary.


More information about the Snort-devel mailing list