[Snort-users] Strange events happening after installing PulledPork

Joel Esler (jesler) jesler at ...589...
Tue Apr 28 13:51:29 EDT 2015


Looks like your barnyard instance (or something) isn’t reading from the correct sic-msg.map file?


On Apr 28, 2015, at 12:20 AM, Michael Steele <michaels at ...9077...<mailto:michaels at ...9077...>> wrote:

I’m not sure what’s going on. I just setup a new PulledPork instance, and its set to security for the rule set.

My previous instance ran a full set of rules for testing and I didn’t see the events below being logged

I’m getting hundreds of the events below. I’m only seeing this after setting up PulledPork 0.7.0

04/28-00:11:04.389178  [**] [1:1620:6] Snort Alert [1:1620:6] [**]
04/28-00:11:04.758601  [**] [1:1620:6] Snort Alert [1:1620:6] [**]
04/28-00:11:04.781636  [**] [1:1620:6] Snort Alert [1:1620:6] [**] [Classification: Detection of a Non-Standard Protocol or Event] [Priority: 2] {UDP} 192.168.0.2:57503 -> 239.255.255.250:1900
04/28-00:11:05.758296  [**] [1:1620:6] Snort Alert [1:1620:6] [**]
04/28-00:11:06.192448  [**] [1:1620:6] Snort Alert [1:1620:6] [**] [Classification: Detection of a Non-Standard Protocol or Event] [Priority: 2] {UDP} 192.168.0.2:55549 -> 192.168.0.255:32412

Any ideas why I’m getting these with PulledPork?
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150428/20e28c03/attachment.html>


More information about the Snort-users mailing list