[Snort-users] Why does snort not always post to the x.x.x subdirectory?

Bob Fawcett bobf at ...739...
Wed Nov 1 16:28:27 EST 2000


I am brand new to snort.
I have snort 1.6.3 running on an NT 4.0 workstation with a nearly 
stock copy of rules 10102k.
I get an alert in the alert.ids file but no decode in net.net.subnet 
directory.  This only happens for a few rules, most of the rules create 
the subdirectory in the log directory as expected.

A specific example:
when this rule triggers
 alert TCP !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 - 
CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../"; )
I get no subdirectory for the IP that triggered it. The IP is in my 
alerts.ids file. (The rules are all one line long - wrap is for email).

Thanks for any help

Bob F
80 FLT "The Original Road King"



More information about the Snort-users mailing list