[Snort-users] MySQL support for Snort 2.9.4

Joel Esler jesler at ...1935...
Tue Dec 11 16:41:06 EST 2012


On Tue, Dec 11, 2012 at 09:26:55PM +0000, Kaya Saman wrote:
> On 12/11/2012 07:11 PM, Joel Esler wrote:
> >You aren't generating any alerts because of:
> >
> >On Dec 11, 2012, at 2:06 PM, Kaya Saman <kayasaman at ...11827...
> ><mailto:kayasaman at ...11827...>> wrote:
> >
> >>Bad Chk Sum:      9421212 ( 50.311%)
> >
> >Try adding -k none to your Snort command line and see if you get
> >anything logged that way.
> >
> >
> >>Action Stats:
> >>    Alerts:            0 (  0.000%)
> >>    Logged:            0 (  0.000%)
> >>    Passed:            0 (  0.000%)
> >
> >
> >See, nothing alerted.
> >
> >Also,
> >you might want to use PulledPork to manage your ruleset, as it
> >looks like you have a bunch of unresolved flowbit issues.
> 
> Thanks Joel,
> 
> I used PulledPork but it didn't get any of the *.rules files that
> are in the tar.gz file. I manually added them in then ran PP again
> out of which I got:
> 
> Reading rules...
> Reading rules...
> Reading rules...
> Setting Flowbit State....
>         Enabled 23 flowbits
>         Enabled 1 flowbits
>         Done
> Writing /etc/snort/rules/snort.rules....
>         Done
> Writing /etc/snort/rules/so_rules.rules....
>         Done
> Generating sid-msg.map....
>         Done
> Writing /etc/snort/sid-msg.map....
>         Done
> Writing /var/log/sid_changes.log....
>         Done
> Rule Stats....
>         New:-------0
>         Deleted:---0
>         Enabled Rules:----16879
>         Dropped Rules:----0
>         Disabled Rules:---14849
>         Total Rules:------31728
>         Done
> 
> I still get the flow bit errors as PP from above only enabled 24.
> 
> 
> In the log file I noticed that I got a bunch of "unkown message"
> entries so I don't know if that's got anything to do with it?

It would help if you'd post the errors you received.


> Using the -k none option as suggested previously I don't get any
> more 'Bad chck sum' errors but I still don't get anything logged
> either?

Well if you are evaluating all the traffic, then you might not have anything for Snort to trigger off of.  But let's keep checking to be sure.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




More information about the Snort-users mailing list