[Snort-users] Upgrading Rules Not Working and Now Totally Confused...

Chae chae at ...6316...
Wed Aug 7 19:20:03 EDT 2002


Hi Yah,

Right a while back I upgraded to 1.8.7 and it was giving grief on a Cobalt 
RaQ3.

Worked my way back through the various rpm's and found 1.8.4 worked as well 
as the original version 1.8.1

Now snort has been doing it's thing quite nicely for the last two weeks, I 
then decided to update the rule set (fingers and toes were crossed).

Installed the latest rules and modified the snort.conf to reflect the 1.8.4 
snort conf, ran snort for a few days and all it would report back on was 
ICMP & virus results. Okay same problem as before, replaced the rules with 
the previous ruleset and snort conf and it's been running okay again.

Why won't the new rule set run with version 1.8.4 the biggest difference in 
the 1.8.4 & the 1.8.7 snort.conf is in section one var HTTP_PORTS 80 & var 
ORACLE_PORTS 1521

So to recap...

using 1.8.4 with the 1.8.4 ruleset and snort.conf works okay & reports okay
using 1.8.4 with the latest ruleset & snort.conf it only reports on ICMP's 
& Virus attacks nothing else
copy the 1.8.4 ruleset back and the 1.8.4 snort.conf and it works and 
reports again
use the latest ruleset with the 1.8.4 snort.conf and a large number of 
errors come from the rules stating can't find port or wrong port and snort 
doesn't run.

On the latest rule set the snort.conf has only had the var HOME_NET and the 
preprocessor portscan-ignorehosts changed, the logging method changed and 
the WIN IIS & Cold fusion rulesets commented out, those variables were the 
same as those in the 1.8.4 conf nothing else was changed.

Regards

Chae






More information about the Snort-users mailing list