[Snort-sigs] Up and Running

Joel Esler jesler at ...435...
Tue Sep 11 15:34:27 EDT 2012


On Sep 11, 2012, at 3:22 PM, PR <oly562 at ...2420...> wrote:
> On Tue, 2012-09-11 at 13:37 -0400, Joel Esler wrote:
>> On Sep 11, 2012, at 1:20 PM, PR <oly562 at ...2420...> wrote:
>> <snip>

>>> 2.  WARNING: flowbits key 'file.fli' is set but not ever checked. and 20 more like this...
>>> 
>> Are you using pulled pork.
> not at the moment, i did it manually, downloaded rules and snort per the manual links

Okay.  Pulledpork will correct the flow bit issues for you.

<snip>


>> 
>>> 4. WARNING: ip4 normalizations disabled because not inline.
>>> WARNING: tcp normalizations disabled because not inline.
>>> WARNING: icmp4 normalizations disabled because not inline.
>> 
>> If you aren't inline, this is correct.
> i believe i am not, it says at bottom of stdout, what i am running, that
> is included in my cut pastes of stdout. snort should say in stdout what
> i am running, correct, it said, ids mode 

Right.  You should run Snort in Daemon mode once you have it working.

>>> 5. wondering about these few entries as well:
>>> 
>>> 0 decoder rules
>>>    0 preprocessor rules
>>> zero?
>> 
>> If you aren't using preprocessor or decoder rules, that's correct.  These are commented out in the snort.conf by default.
> ok, thats a good topic. when does one use preporcessor or decoder rules. i hear preproc and i think iptables or prior to inspection, 
> something like that,,,, ill read about that in the manual next. thanks

Look for preprocessor.rules in the snort.conf.

>>> and...
>>> 
>>> pcap DAQ configured to passive.
>> 
>> That's not a warning, that's informational.
> ok, what does that mean, passive, as in pcap is not sniffing? i think
> pcap and i think wireshark or ettercap or sniffing software. i could
> configure that in daq conf somewhere i suspect. correct? ill try to find
> a doc or manual on daq next, i guess that is what you mean by, what i
> want to or i am trying to do... i said above what im trying to do :0)

Passive, meaning, "not inline".  You cannot block traffic.

>>> if you can see anything wrong, please let me know, i feel im getting close... lol
>>> thanks, pete
>>> 
> 
>> I don't show any stoppers.
> 
> ok, great, except now its not logging $RULES, i just slammed it with
> audit software and nothing was logged... yes mysql is right, it worked
> prior to turning on $RULES in snort.conf. obviously i dont understand it
> all lol... and also preproc, sorules, how pulledpork effects things when
> i install it, and the BUG noted for white/black list in snort.conf as
> well. ill read the manual now, and see if i can find some answers.

it should be logging, by default, in /var/log/snort.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120911/90a7f524/attachment.html>


More information about the Snort-sigs mailing list