[Snort-users] issues with Snort report 1.3&VRT rules&ET rules&threshold.conf

Joel Esler joel.esler at ...14399...
Tue Nov 30 19:21:54 EST 2010


Is it because with the #2 line, your output is to console? "-A console",
remember command line overrides the snort.conf output lines.

J

On Tue, Nov 30, 2010 at 7:02 PM, Jun Wan <junwei_wan at ...125...> wrote:

>  Hi,
>
> BASE is not maintained, as well as it's lack of docs, so I choose Snort
> Report (SR).  I have got lots of help from David Gullett, David has done a
> wonderful job,  thanks David.
>
> Two issues on *Snort2.8.6.0 with SR 1.3* are very *strange*, I thought you
> guys may be interested to know, please see the followings:
>
> *1.)* If I do following commands:
>
> sudo /usr/local/snort/bin/snort -D -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth0
> sudo /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G
> /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d
> /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
>
> The results: the activated rules on emerging.conf and settings on
> threshold.conf *are* *not working,* but the SR is working, snort is
> running with VRT rules *only* (*not *running ET rules&threshold.conf )
>
> *2.) or *If I do the following command:
>
>  sudo /usr/local/snort/bin/snort -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth1 -A console
>
> The results: the activated rules on emerging.conf and settings on
> threshold.conf *are working,* but the SR is *not working *(no data), and
> snort is running with VRT rules *and* ET rules *and* threshold.conf .
>
> Same issues happen to Snort 2.9.0 with SR1.3.
>
> I would like to solve these issues before I put Snort 2.8.6 &2.9.0 with SR
> 1.3 into our live network.
>
> Any information/idea/direction would be highly appreciated.
>
> Regards
>
> John
>



-- 
Joel Esler
http://blog.joelesler.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101130/1e3ddf21/attachment.html>


More information about the Snort-users mailing list