[Snort-users] Problems with Policy-Based Rules file
Kaplan, Andrew H.
AHKAPLAN at ...10063...
Thu Nov 4 05:56:32 EST 2004
Hi Alex --
I ran the ps -ef |grep snort command syntax and it does appear the snort binary
running with the -o option.
From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher at ...11254...]
Sent: Thursday, November 04, 2004 4:02 AM
To: Kaplan, Andrew H.; Snort User Group (E-mail)
Subject: Re: [Snort-users] Problems with Policy-Based Rules file
--On 03 November 2004 14:16 -0500 "Kaplan, Andrew H."
<AHKAPLAN at ...10063...> wrote:
> 1. Two servers with the addresses of 192.168.2.2 and 192.168.2.3 are
> sending requests via port 1985 to the 188.8.131.52:1985 multicast address
> via UDP. I added a section to the file that calls for a pass of said
> traffic from both servers via TCP and UDP. Even though I added it to the
> file, I am still getting a large amount of alerts from both machines.
> The version of Snort that is being run is version 2.1.3, and the syntax
> used to run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
> /etc/snort/snort.conf -i eth0
That would appear to indicate that the '-o' ("pass first") option isn't
working. Use ps to verify that Snort is *really* running with the -o option.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users