[Snort-users] Question regarding creating rules in Snortcenter ...
MChapman at ...10754...
Thu Feb 12 09:35:12 EST 2004
This is on RedHat 9.0, with Snort 2.0.6 and the usual complement of
MySQL and ACID. The rules I am trying to create using the interface in
Snortcenter don't seem to be active or locatable, for that matter. Bear
with my ignorance here, but I thought that these rules would normally
get put into the local.rules file, yet no entries appear there when I
create a rule. I do see them in the Snortcenter interface when I look
at the rules, which leads me to believe that the rules are in the SQL
database. Is this a correct assumption? If so, are the Snortcenter
interface and/or direct MySQL intervention the only ways to verify that
a rule is there? Secondly, if the rule does exist, why am I not seeing
hits for it?
For example, I created a rule which just does nothing but alert on TCP
8987 (a port that only I am using for an app.) I can clearly see other
traffic to and from the host that has that port active, but I do not see
any alerts. I have activated the rule per the instructions on the
Snortcenter site, with green lights all around.
Am I being ignorant, or is there something I'm missing? If I should
just re-RTFM, then please say so!
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users