[Snort-users] Snort PCAP FRAMES Query

Seth Art sethsec at ...11827...
Fri Apr 30 12:20:41 EDT 2010


The PCAP_FRAMES message is benign in your case. It is just reminding
you that you are not using an "enhanced" pcap, like the one Phil Wood:
http://public.lanl.gov/cpw/

Secondly, the the 128-4 message means: Generator: 128, Signature: 4.
Generator 1 is the text based rules, Gen 3 are the shared object
rules, and the rest are mostly preprocessor rules (ie: http_inspect,
frag, telnet, etc)

Looks like you are generating sigs, just not any text based Gen 1 sigs
yet.  Try going to www.testmyids.com to see if that triggers a sig.

-Seth

On Fri, Apr 30, 2010 at 12:01 PM, Michael Sloan <sloan at ...14851...> wrote:
> I'm still having fits with my Snort/Barnyard2/BASE/mySQL installation
> under SUSE Linux Enterprise 11, and decided to recompile Snort with
> --with-mysql --with-mysql-libraries=/usr/lib/mysql -- with
> mysql-includes=/usr/include/mysql to see if possibly some of my issues
> might go away -
>
> Things like only seeing SSH Protocol Mismatch as the only reported error
> (I cleared the records in BASE before starting with the newly compiled
> snort binary) and links to information at snortid.com not even being in
> the format used at that site. I see an entry of the form 128-4, whereas
> snortid.com uses a X:YYYY format.
>
> Using Snort 2.8.5.3, BASE-1.4.5, and Barnyard2-1.8...
>
> What I noticed in the logs when I started snort is  Not using PCAP
> FRAMES. Would this account for why attempting to drill down and look at
> the packet information displayed an error? If so, where is this enabled?
>
> I start snort with the following command line:
>
> /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -d -D -u snort
>
> My output line in snort.conf is:
>
> output unified2: filename snort.log, limit 128
>
> And my barnyard2.conf output line is:
> output database: alert, mysql, user=snort password=WildlySecretPassword
> dbname=snort host=localhost
>
> mySQL seems to be set up correctly, with 16+ tables in the snort
> database and the user snort at ...274... being able to authenticate to the
> database.
>
> I'm not sure where to go next in dealing with these problems. Any
> suggestions or recommendations would be greatly appreciated.
>
> --
> Michael Sloan
> Systems Administrator
> FSU Center for Advanced Power Systems
> sloan at ...14851...
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list