[Snort-users] How many rules read / active?

Kurzawa, Kevin kkurzawa at ...16800...
Fri Nov 7 10:15:10 EST 2014


Snort is run in daemon mode for me, as well. It logs startup messages to /var/log/messages.

Here is the output to look for.

Nov  5 16:27:24 snort[19445]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Nov  5 16:27:24 snort[19445]: Initializing rule chains...
Nov  5 16:27:24 snort[19445]: WARNING: /etc/pulledpork/rules/local(7) GID 1 SID 1000001 in rule duplicates previous rule. Ignoring old rule.
Nov  5 16:27:25 snort[19445]: 8161 Snort rules read
Nov  5 16:27:25 snort[19445]:     8139 detection rules
Nov  5 16:27:25 snort[19445]:     0 decoder rules
Nov  5 16:27:25 snort[19445]:     21 preprocessor rules
Nov  5 16:27:25 snort[19445]: 8160 Option Chains linked into 542 Chain Headers
Nov  5 16:27:25 snort[19445]: 0 Dynamic rules
Nov  5 16:27:25 snort[19445]: +++++++++++++++++++++++++++++++++++++++++++++++++++



From: test engineer [mailto:test12524 at ...11827...]
Sent: Friday, November 07, 2014 9:24 AM
To: waldo kitty
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] How many rules read / active?

Thanks for you comment Waldo.  When starting snort in daemon mode there is no screen output. The system log/messages file does not indicate how many rules were loaded.  I'm testing a set of 125 local rules and need to see if they loaded.

On Wed, Nov 5, 2014 at 4:38 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:
On 11/5/2014 2:07 PM, test engineer wrote:
> When running snort in daemon mode, is there a command to show how many snort
> rules were loaded and are active?

the numbers are shown in the startup output of snort...

--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141107/bb38d9a1/attachment.html>


More information about the Snort-users mailing list