[Snort-users] MySQL support for Snort 2.9.4

Kaya Saman kayasaman at ...11827...
Tue Dec 11 16:47:22 EST 2012


On 12/11/2012 09:41 PM, Joel Esler wrote:
> On Tue, Dec 11, 2012 at 09:26:55PM +0000, Kaya Saman wrote:
>> On 12/11/2012 07:11 PM, Joel Esler wrote:
>>> You aren't generating any alerts because of:
>>>
>>> On Dec 11, 2012, at 2:06 PM, Kaya Saman <kayasaman at ...11827...
>>> <mailto:kayasaman at ...11827...>> wrote:
>>>
>>>> Bad Chk Sum:      9421212 ( 50.311%)
>>> Try adding -k none to your Snort command line and see if you get
>>> anything logged that way.
>>>
>>>
>>>> Action Stats:
>>>>     Alerts:            0 (  0.000%)
>>>>     Logged:            0 (  0.000%)
>>>>     Passed:            0 (  0.000%)
>>>
>>> See, nothing alerted.
>>>
>>> Also,
>>> you might want to use PulledPork to manage your ruleset, as it
>>> looks like you have a bunch of unresolved flowbit issues.
>> Thanks Joel,
>>
>> I used PulledPork but it didn't get any of the *.rules files that
>> are in the tar.gz file. I manually added them in then ran PP again
>> out of which I got:
>>
>> Reading rules...
>> Reading rules...
>> Reading rules...
>> Setting Flowbit State....
>>          Enabled 23 flowbits
>>          Enabled 1 flowbits
>>          Done
>> Writing /etc/snort/rules/snort.rules....
>>          Done
>> Writing /etc/snort/rules/so_rules.rules....
>>          Done
>> Generating sid-msg.map....
>>          Done
>> Writing /etc/snort/sid-msg.map....
>>          Done
>> Writing /var/log/sid_changes.log....
>>          Done
>> Rule Stats....
>>          New:-------0
>>          Deleted:---0
>>          Enabled Rules:----16879
>>          Dropped Rules:----0
>>          Disabled Rules:---14849
>>          Total Rules:------31728
>>          Done
>>
>> I still get the flow bit errors as PP from above only enabled 24.
>>
>>
>> In the log file I noticed that I got a bunch of "unkown message"
>> entries so I don't know if that's got anything to do with it?
> It would help if you'd post the errors you received.

Sorry about that!

         Unknown MSG (105:1)
         Unknown MSG (105:2)
         Unknown MSG (105:3)
         Unknown MSG (105:4)
         Unknown MSG (106:1)
         Unknown MSG (106:2)
         Unknown MSG (106:3)
         Unknown MSG (106:4)
         Unknown MSG (106:5)
         Unknown MSG (112:1)
         Unknown MSG (112:2)
         Unknown MSG (112:3)
         Unknown MSG (112:4)
         Unknown MSG (119:1)
         Unknown MSG (119:10)
         Unknown MSG (119:11)
         Unknown MSG (119:12)
         Unknown MSG (119:13)
         Unknown MSG (119:14)
         Unknown MSG (119:15)
         Unknown MSG (119:16)
         Unknown MSG (119:17)
         Unknown MSG (119:18)
         Unknown MSG (119:19)
         Unknown MSG (119:2)
         Unknown MSG (119:20)
         Unknown MSG (119:21)
         Unknown MSG (119:22)
         Unknown MSG (119:23)
         Unknown MSG (119:24)
         Unknown MSG (119:25)
         Unknown MSG (119:26)
         Unknown MSG (119:27)
         Unknown MSG (119:28)
         Unknown MSG (119:29)
         Unknown MSG (119:3)
         Unknown MSG (119:30)
         Unknown MSG (119:31)
         Unknown MSG (119:32)
         Unknown MSG (119:4)
         Unknown MSG (119:6)
         Unknown MSG (119:7)
         Unknown MSG (119:8)
         Unknown MSG (119:9)
         Unknown MSG (120:1)
         Unknown MSG (120:10)
         Unknown MSG (120:11)
         Unknown MSG (120:2)
         Unknown MSG (120:3)
         Unknown MSG (120:4)
         Unknown MSG (120:5)
         Unknown MSG (120:6)
         Unknown MSG (120:7)
         Unknown MSG (120:8)
         Unknown MSG (120:9)
         Unknown MSG (122:1)
         Unknown MSG (122:10)
         Unknown MSG (122:11)
         Unknown MSG (122:12)
         Unknown MSG (122:13)
         Unknown MSG (122:14)
         Unknown MSG (122:15)
         Unknown MSG (122:16)
         Unknown MSG (122:17)
         Unknown MSG (122:18)
         Unknown MSG (122:19)
         Unknown MSG (122:2)
         Unknown MSG (122:20)
         Unknown MSG (122:21)
         Unknown MSG (122:22)
         Unknown MSG (122:23)
         Unknown MSG (122:24)
         Unknown MSG (122:25)
         Unknown MSG (122:26)
         Unknown MSG (122:27)
         Unknown MSG (122:3)
         Unknown MSG (122:4)
         Unknown MSG (122:5)
         Unknown MSG (122:6)
         Unknown MSG (122:7)
         Unknown MSG (122:8)
         Unknown MSG (122:9)
         Unknown MSG (123:1)
         Unknown MSG (123:10)
         Unknown MSG (123:11)
         Unknown MSG (123:12)
         Unknown MSG (123:13)
         Unknown MSG (123:2)
         Unknown MSG (123:3)
         Unknown MSG (123:4)
         Unknown MSG (123:5)
         Unknown MSG (123:6)
         Unknown MSG (123:7)
         Unknown MSG (123:8)
         Unknown MSG (123:9)
         Unknown MSG (124:1)
         Unknown MSG (124:10)
         Unknown MSG (124:11)
         Unknown MSG (124:12)
         Unknown MSG (124:13)
         Unknown MSG (124:2)
         Unknown MSG (124:3)
         Unknown MSG (124:4)
         Unknown MSG (124:5)
         Unknown MSG (124:6)
         Unknown MSG (124:7)
         Unknown MSG (124:8)
         Unknown MSG (125:1)
         Unknown MSG (125:2)
         Unknown MSG (125:3)
         Unknown MSG (125:4)
         Unknown MSG (125:5)
         Unknown MSG (125:6)
         Unknown MSG (125:7)
         Unknown MSG (125:8)
         Unknown MSG (125:9)
         Unknown MSG (126:1)
         Unknown MSG (126:2)
         Unknown MSG (126:3)
         Unknown MSG (128:1)
         Unknown MSG (128:2)
         Unknown MSG (128:3)
         Unknown MSG (128:4)
         Unknown MSG (128:5)
         Unknown MSG (128:6)
         Unknown MSG (128:7)
         Unknown MSG (129:1)
         Unknown MSG (129:10)
         Unknown MSG (129:11)
         Unknown MSG (129:12)
         Unknown MSG (129:13)
         Unknown MSG (129:14)
         Unknown MSG (129:15)
         Unknown MSG (129:16)
         Unknown MSG (129:17)
         Unknown MSG (129:18)
         Unknown MSG (129:19)
         Unknown MSG (129:2)
         Unknown MSG (129:3)
         Unknown MSG (129:4)
         Unknown MSG (129:5)
         Unknown MSG (129:6)
         Unknown MSG (129:7)
         Unknown MSG (129:8)
         Unknown MSG (129:9)
         Unknown MSG (131:1)
         Unknown MSG (131:2)
         Unknown MSG (131:3)
         Unknown MSG (133:1)
         Unknown MSG (133:10)
         Unknown MSG (133:11)
         Unknown MSG (133:12)
         Unknown MSG (133:13)
         Unknown MSG (133:14)
         Unknown MSG (133:15)
         Unknown MSG (133:16)
         Unknown MSG (133:17)
         Unknown MSG (133:18)
         Unknown MSG (133:19)
         Unknown MSG (133:2)
         Unknown MSG (133:20)
         Unknown MSG (133:21)
         Unknown MSG (133:22)
         Unknown MSG (133:23)
         Unknown MSG (133:24)
         Unknown MSG (133:25)
         Unknown MSG (133:26)
         Unknown MSG (133:27)
         Unknown MSG (133:28)
         Unknown MSG (133:29)
         Unknown MSG (133:3)
         Unknown MSG (133:30)
         Unknown MSG (133:31)
         Unknown MSG (133:32)
         Unknown MSG (133:33)
         Unknown MSG (133:34)
         Unknown MSG (133:35)
         Unknown MSG (133:36)
         Unknown MSG (133:37)
         Unknown MSG (133:38)
         Unknown MSG (133:39)
         Unknown MSG (133:4)
         Unknown MSG (133:40)
         Unknown MSG (133:41)
         Unknown MSG (133:42)
         Unknown MSG (133:43)
         Unknown MSG (133:48)
         Unknown MSG (133:49)
         Unknown MSG (133:5)
         Unknown MSG (133:50)
         Unknown MSG (133:51)
         Unknown MSG (133:52)
         Unknown MSG (133:53)
         Unknown MSG (133:54)
         Unknown MSG (133:55)
         Unknown MSG (133:56)
         Unknown MSG (133:6)
         Unknown MSG (133:7)
         Unknown MSG (133:8)
         Unknown MSG (133:9)
         Unknown MSG (134:1)
         Unknown MSG (134:2)
         Unknown MSG (135:1)
         Unknown MSG (135:2)
         Unknown MSG (135:3)
         Unknown MSG (136:1)
         Unknown MSG (136:2)
         Unknown MSG (137:1)
         Unknown MSG (137:2)
         Unknown MSG (139:1)
         Unknown MSG (140:1)
         Unknown MSG (140:10)
         Unknown MSG (140:11)
         Unknown MSG (140:12)
         Unknown MSG (140:13)
         Unknown MSG (140:14)
         Unknown MSG (140:15)
         Unknown MSG (140:16)
         Unknown MSG (140:17)
         Unknown MSG (140:18)
         Unknown MSG (140:19)
         Unknown MSG (140:2)
         Unknown MSG (140:20)
         Unknown MSG (140:21)
         Unknown MSG (140:22)
         Unknown MSG (140:23)
         Unknown MSG (140:24)
         Unknown MSG (140:25)
         Unknown MSG (140:26)
         Unknown MSG (140:27)
         Unknown MSG (140:3)
         Unknown MSG (140:4)
         Unknown MSG (140:5)
         Unknown MSG (140:6)
         Unknown MSG (140:7)
         Unknown MSG (140:8)
         Unknown MSG (140:9)
         Unknown MSG (141:1)
         Unknown MSG (141:2)
         Unknown MSG (141:3)
         Unknown MSG (141:4)
         Unknown MSG (141:5)
         Unknown MSG (141:6)
         Unknown MSG (141:7)
         Unknown MSG (142:1)
         Unknown MSG (142:2)
         Unknown MSG (142:3)
         Unknown MSG (142:4)
         Unknown MSG (142:5)
         Unknown MSG (142:6)
         Unknown MSG (142:7)
         Unknown MSG (143:1)
         Unknown MSG (143:2)
         Unknown MSG (143:3)
         Unknown MSG (144:1)
         Unknown MSG (144:2)
         Unknown MSG (144:3)
         Unknown MSG (145:1)
         Unknown MSG (145:2)
         Unknown MSG (145:3)
         Unknown MSG (145:4)
         Unknown MSG (145:5)
         Unknown MSG (145:6)
         Unknown MSG (2:1)


Are what I've seen currently.....

>
>
>> Using the -k none option as suggested previously I don't get any
>> more 'Bad chck sum' errors but I still don't get anything logged
>> either?
> Well if you are evaluating all the traffic, then you might not have anything for Snort to trigger off of.  But let's keep checking to be sure.

Basically Snort should just listen to all traffic and report for 
anything hinky - running in IDS mode.

I'm wondering if I should pull the Emerging Threats rules in again and 
use those as they worked before?

>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Regards,


Kaya




More information about the Snort-users mailing list