[Snort-users] MySQL support for Snort 2.9.4

waldo kitty wkitty42 at ...14940...
Wed Dec 12 09:10:55 EST 2012

On 12/11/2012 16:26, Kaya Saman wrote:
> I still get the flow bit errors as PP from above only enabled 24.

PP's flowbit resolving only goes one way...

if a rule checks for a flowbit, PP will enable the rule(s) that set that 
flowbit... this fixes the "flowbit is checked but never set" warning...

if a rule sets a flowbit and there are no rules to check it, PP will not enable 
those checking rules... snort will still alert that "flowbit is set but never 
checked"... this is something manual that you will have to handle by either 
turning off that rule or turning on at least one of those that checks that 

> In the log file I noticed that I got a bunch of "unkown message" entries so I
> don't know if that's got anything to do with it?

we'd have to see a log snippet of what you are talking about...

> Using the -k none option as suggested previously I don't get any more 'Bad chck
> sum' errors but I still don't get anything logged either?

how is snort connected to the traffic flow? thru a span port or a switch or hub?

> Previously when I used version 2.8.6 with the Emerging Threats ruleset even when
> run for a few seconds Base would just spike with occurrences, mainly for p2p
> icmp packets.
> Basically it's still not working :-(

yup, something's just not right yet...

the biggest change between 2.8.6 and 2.9 is the use of the DAQ stuff... that and 
the removal of the database output stuff... however, there is something about 
this logging thing that is problematic... i see it quite often on new 
installations of our packaged environment... several times we've thought we've 
found the definitive answer to fix it but while it works for some, it doesn't 
for others... and then another fix will work for them but there are still more 
how are not getting logging... we're still looking at it in our stuff since we 
are including snort in our packaged environment and folks come to us for help 
with it... one day we will find it...

More information about the Snort-users mailing list