[Snort-users] Upgrading Rules Not Working and Now Totally Confused...
chae at ...6316...
Wed Aug 7 19:20:03 EDT 2002
Right a while back I upgraded to 1.8.7 and it was giving grief on a Cobalt
Worked my way back through the various rpm's and found 1.8.4 worked as well
as the original version 1.8.1
Now snort has been doing it's thing quite nicely for the last two weeks, I
then decided to update the rule set (fingers and toes were crossed).
Installed the latest rules and modified the snort.conf to reflect the 1.8.4
snort conf, ran snort for a few days and all it would report back on was
ICMP & virus results. Okay same problem as before, replaced the rules with
the previous ruleset and snort conf and it's been running okay again.
Why won't the new rule set run with version 1.8.4 the biggest difference in
the 1.8.4 & the 1.8.7 snort.conf is in section one var HTTP_PORTS 80 & var
So to recap...
using 1.8.4 with the 1.8.4 ruleset and snort.conf works okay & reports okay
using 1.8.4 with the latest ruleset & snort.conf it only reports on ICMP's
& Virus attacks nothing else
copy the 1.8.4 ruleset back and the 1.8.4 snort.conf and it works and
use the latest ruleset with the 1.8.4 snort.conf and a large number of
errors come from the rules stating can't find port or wrong port and snort
On the latest rule set the snort.conf has only had the var HOME_NET and the
preprocessor portscan-ignorehosts changed, the logging method changed and
the WIN IIS & Cold fusion rulesets commented out, those variables were the
same as those in the 1.8.4 conf nothing else was changed.
More information about the Snort-users