[Snort-users] darpa dataset problem(zero alert)

Joel Esler (jesler) jesler at ...589...
Mon Aug 25 09:00:57 EDT 2014


You didn’t have any rules fire.  But you have your rules uncommented, which means, either you didn’t download the ruleset, or if you did download the ruleset, you are running said rules, or the rule files are blank for some reason.

In any case, you have a misconfiguration in your snort.conf that is not allowing you to run the rules.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Aug 20, 2014, at 4:36 PM, mehdi maleki <mehdimlk2003 at ...131...<mailto:mehdimlk2003 at ...131...>> wrote:






On Wednesday, August 20, 2014 2:34 AM, mehdi maleki <mehdimlk2003 at ...131...<mailto:mehdimlk2003 at ...131...>> wrote:


Hi Esler & Waldo

My question was not answered!
When rule set (registered snortrules-snapshot-2962) and input pcap file (darpa dataset) is same to yours why the output alert file is very different?
Your output alert file have many gid: 1 alerts but there is any gid: 1 alert in my output alert file.
What is my problem?
 What changes do i need to perform in snort.conf file to have output same to you?
 I attach my snort.conf file & alert file.
Thanks
m. maleki






<alert_config.zip>------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140825/4b2d78e1/attachment.html>


More information about the Snort-users mailing list