[Snort-users] Snort 2.1.0 with snortcenter v1.0

Jim Cervantes jcervant at ...9478...
Fri Dec 19 11:42:03 EST 2003


I encountered a lack of Snortcenter support for the window option when
upgrading to 2.0.5, so I think you are merely seeing the divergence of snort
with snortcenter.  It doesn't appear that Snortcenter is being very actively
supported, but I might be wrong about that.

Even though Snortcenter complains when importing the affected rules, it
still imports them into the rule database and will push them out to your
sensors without the options it doesn't recognize.  This is very unfortunate
because you generally end up with under qualified rules that will fire when
they shouldn't.

Be aware of a particularly nasty problem I ran into recently with
Snortcenter.  Under certain circumstances Snortcenter will reorder multiple
content options (and all the related sub-parameters).  This will break a
huge number of rules.  It seems as though Snortcenter inadvertently depends
on SELECT statements to return rows in the order they were INSTERTed.  MySQL
appears to oblige unless you have ever performed maintenance on the
applicable tables.  Don't ever run 'OPTIMIZE TABLE' on Snortcenter's content
or uricontent tables (yes, uricontent has the same problem).

I don't mean to get down at all on Snortcenter - it has proven useful for
me.  However, the lack of maintenance has become a growing concern.

Jim

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Friesz,
Ross
Sent: Friday, December 19, 2003 2:13 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Snort 2.1.0 with snortcenter v1.0


Hello All,

While trying to import snortrules-current.tar.gz using snortcenter, I get
several database errors.

Snortcenter says there are unknown Rule Options pcre, window, and isdataat.

Has anyone come across this problem after upgrading to 2.1.0 and changing
the config.php file in snortcenter to download snortrules-current.tar.gz
instead of snortrules-stable.tar.gz?

Thanks

Ross Friesz


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list