[Snort-users] a few questions...

Russ Combs rcombs at ...1935...
Fri Jul 5 18:35:33 EDT 2013


On Fri, Jul 5, 2013 at 5:56 PM, waldo kitty <wkitty42 at ...14940...> wrote:

>
> in response to another's query about how to compile the so dynamic rules,
> i set off to test my theory and understanding... i completed my task and
> have an executable snort 2.9.5 with what appears to be compiled so dynamic
> rules from snapshot-2.9.4.6...
>
> this snort was compiled "straight"... in other words, nothing fancy...
> only the following...
>
> ./configure
> make
> make install
>
> so there's a bit of background... if it is not complete enough, please ask
> me for additional information... now to my couple of questions...
>
> 1. i do have 14 compiled so dynamic rules files in my lib directory. snort
> does recognize them and appears to load them as can be seen in the
> execution output attached below. the question is why does snort report "0
> Dynamic rules" when it is initializing the rule chains? there /are/ 72
> rules stubs in the so_rules directory and they were created from the
> compiled rules by snort's --dump-dynamic-rules option... did i miss a
> change in the so_rules/src/Makefile other than changing the SNORT_VERSION
> entry?
>

Those are dynamically activated rules as opposed to dynamically loaded
rules.  Check here:

http://manual.snort.org/node29.html#SECTION00421000000000000000
http://manual.snort.org/node29.html#SECTION00426000000000000000


>
> 2. when i terminate snort, the "Packet I/O Totals" count of processed
> doesn't make sense. it says 4054 received and analyzed but the "Breakdown
> by protocol" says there were 4057. where did the extra three packets come
> from? it also reports 125 "Other" packets. how can i find out what they are
> or were?
>
> They are certain rebuilt packets counted here:

     S5 G 2:            3 (  0.074%)

Check here:

http://manual.snort.org/node9.html#SECTION00273000000000000000

I guess that should also state that packets flushed at shutdown are counted
there as well.


> all the output from the execution is attached below (snort_execution.txt)
> and my snort.conf is attached after that (snort_conf.txt)...
>
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
>       Please keep mailing list traffic on the list unless
>       private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130705/78b0dedf/attachment.html>


More information about the Snort-users mailing list