[Snort-users] Problems with Policy-Based Rules file

Kaplan, Andrew H. AHKAPLAN at ...10063...
Thu Nov 4 05:56:32 EST 2004


Hi Alex --

I ran the ps -ef |grep snort command syntax and it does appear the snort binary
is
running with the -o option. 

-----Original Message-----
From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher at ...11254...]
Sent: Thursday, November 04, 2004 4:02 AM
To: Kaplan, Andrew H.; Snort User Group (E-mail)
Subject: Re: [Snort-users] Problems with Policy-Based Rules file




--On 03 November 2004 14:16 -0500 "Kaplan, Andrew H." 
<AHKAPLAN at ...10063...> wrote:

> 1. Two servers with the addresses of 192.168.2.2 and 192.168.2.3 are
> sending requests via port 1985 to the 226.0.0.2:1985 multicast address
> via UDP. I added  a section to the file that calls for a pass of said
> traffic from both servers via TCP and UDP. Even though I added it to the
> file, I am still getting  a large amount of alerts from both machines.

[snip]

> The version of Snort that is being run is version 2.1.3, and the syntax
> used to run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
> /etc/snort/snort.conf -i eth0

That would appear to indicate that the '-o' ("pass first") option isn't 
working. Use ps to verify that Snort is *really* running with the -o option.

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9





More information about the Snort-users mailing list