[Snort-users] Unknown Sig Name ???
Susan Kay Coulter
skc at ...440...
Fri Oct 12 08:34:11 EDT 2001
I got this error when I had written a rule with a syntax error in the msg
option. My rule said something like ...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:BadRule"; uri ...
Alerts from this rule showed up as "Unknown Signature Name".
I was missing the leading quote on the msg option. After fixing the syntax
error, the signature name showed up correctly.
> Subject: Re: [Snort-users] Unknown Sig Name ???
> >> Hash: SHA1
> >> Can anybody give me some clues on how to debug this message I am getting in
> >> acid? Is it a problem with classification.config? I am running snort 1.8.1
> >> on
> >> one box with a local mysql database and snort1.8.1 on another box which is
> >> logging alerts to the first boxen's database. Thanks in advance...
> >> Scott Duncan
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.0.4 (GNU/Linux)
> >> Comment: For info see http://www.gnupg.org
> >> iD8DBQE7xKvvk2DKE9dAYTcRAkSOAKCHlO3xEuF8+Pfv5OSnnWuETj2+lwCeKuDI
> >> zCMirnrbE5bYtKyQcyGGmEQ=
> >> =saqf
> >> -----END PGP SIGNATURE-----
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > ---------------------------------------------
> > This message was sent using Voicenet WebMail.
> > http://www.voicenet.com/webmail/
> Cytech Security Consulting
> Internet Security Specialists
> voice: 775-751-5267
> Message: 12
> Date: Thu, 11 Oct 2001 17:02:22 -0700 (PDT)
> From: Erek Adams <erek at ...577...>
> To: Jake S <jseitz at ...3786...>
> cc: Snort list <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] One question
> On Thu, 11 Oct 2001, Jake S wrote:
> > Is there a doc that gives a rough idea of what type of hardware to use in
> > a Y network according to Z amount of traffic? My boss is looking for
> > something to base our hardware purchasing on so that is why I ask.
> Marty sent this info over to the list earlier this month. It's the closest
> thing we've got to a definitive guide ATM.
> 4) Hardware/OS recommendations
> Ok, here are the guidelines and some parameters. Intrusion detection is
> turning into one of the most high performance production computing
> fields that is in wide deployment today. If you think about the
> requirements of a NIDS sensor and the constraints that they are required
> to operate within, you'll probably start to realize that it's not too
> hard to find the performance wall with a NIDS these days.
> The things a NIDS needs are:
> MIPS (Fast CPU)
> RAM (More is *always* better)
> I/O (Wide, fast busses and high performance NIC)
> AODS (Acres Of Disk Space)
> A NIDS also needs to be pretty quick internally at doing its job.
> Snort's seen better days in that regard (when 1.5 came out the
> architecture was a lot cleaner) but it's still considered to be one of
> the performance leaders available.
> As for OS selection, use what you like. When we implement Data
> Acquisition Plugin's in Snort 2.0 this may become more of a factor, but
> for now I'm hearing about a lot of people seeing alot of success using
> Snort on Solaris, Linux, *BSD and Windows 2000. Personally, I develop
> Snort on FreeBSD and Sourcefire uses OpenBSD for our sensor appliance
> OS, but I've been hearing some good things about the RedHat Turbo Packet
> interface (which would require mods for Snort to use, not to mention my
> general objection to RedHat's breaking stuff all the time).
> Hope that helps!
> Erek Adams
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> End of Snort-users Digest
Network Security Team
CCN-5 Network Engineering
Los Alamos National Laboratory
voice: (505) 667-8425
fax: (505) 665-7793
More information about the Snort-users