[Snort-users] Re:Snort-1.8.7 detection problems

chae chae at ...6316...
Mon Jul 22 20:19:03 EDT 2002

Hi Yah Chris,

Cobalt RaQ3 and yes same behavior.

What I did last night was completely remove all traces of snort 8.1.7.i386 
from the server and started afresh again.

This time with 1.8.7 all I got was netmask errors <sigh> nothing has 
changed in that respect since I got the server and it's never been changed 
or modified in the snort.conf and in the snortd it was being called 
correctly as INTERFACE=eth0.  Anyway tried again and this time I was 
getting PCAP & MTU error - so after that I gave up after that.

What I then did was work my way up through the different versions of the 
rpm's till I got to a version that wouldn't work, got as far as version 
1.8.4 before retiring to bed...checked the logs this morning and version 
1.8.4 is working as it should be - yahooo.

As there's no rpm for version 1.8.6 I can't try that out so I might do a 
manual install from the tarball.

But to answer your question what I was seeing was with an old version 1.8.1 
when the rulesets were updated all snort reported on was ICMP, Virus and 
ICMP TTL's yet before it was working fine. So upgraded to 1.8.7 got that 
going and it was reporting the same. Now I have 1.8.4 installed and it's 
working fine with the latest rulesets.


> > Hi Yah,
> >
> > Wojtek stated...
> >
> > "..Compilation, etc, seem to be ok. There's no different version of
> > pcap. Effect is that i get only icmp (not firewall problem) captured
> > packets. I can say that my previous version of snort had no problems
> > with tcp/icmp, but was similar problem with udp. This is not a problem
> > of sql too, because normal logging give the same. This is strange for
> > me that every version of snort has problems in my case with capturing
> > specific protocol. Any ideas will be appreciated."
> >
> > This is the same problem I've been plagued with, even after numerous
> > reinstalls, force installs and using the latest rule sets etc.
> >
> > I'd appreciate any suggestions also.
>OS Version?
>Do you see the same behavior from tcpdump?
>Chris Green <cmg at ...1935...>
>Eschew obfuscation.

More information about the Snort-users mailing list