[Snort-users] Cached Rule Files?

Grime, Richard S richard.grime at ...8411...
Thu Jun 12 03:54:20 EDT 2003


Hi,

We've just been troubleshooting our snort installation - rules that were
commented out seemed to be being read by Snort.  E.g., we had:

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet";
dsize: >4000; reference:arachnids,247; classtype:bad-unknown; sid:521;
rev:1;)

Yet this event was still appearing in the logs.  Checking the folder that
contained all the rules files revealed a bunch of files named like:

._config(xxx)_(rulesfile).rules

E.g. - ._config001_misc.rules

The files contained a verbatim copy of the named rules file, but without any
lines commented out.

When we removed these files, Snort behaved as expected.  Does anyone know
where these might've come from?  We're running Oinkmaster 0.6 to update
rules, but running this again doesn't seem to create ._config files.

Snort 2.0.0 running on Gentoo
Uname -a: Linux snort 2.5.53 #1 SMP Fri Jan 10 11:51:52 GMT 2003 i686
Pentium III (Coppermine) GenuineIntel GNU/Linux

Any ideas / thoughts much appreciated.

Cheers,

Richard




More information about the Snort-users mailing list