[Snort-users] Does multiple configs works with snort 2.9.7.5?

Russ rucombs at ...589...
Tue Sep 1 09:56:00 EDT 2015



On 9/1/15 9:41 AM, C. L. Martinez wrote:
> On Tue, Sep 1, 2015 at 1:37 PM, Russ <rucombs at ...589...> wrote:
>>
>> On 9/1/15 8:56 AM, C. L. Martinez wrote:
>>> On Mon, Aug 31, 2015 at 9:50 AM, C.L. Martinez <carlopmart at ...11827...>
>>> wrote:
>>>> On 08/31/2015 09:11 AM, waldo kitty wrote:
>>>>> On 08/30/2015 11:02 AM, C.L. Martinez wrote:
>>>>>> Hi all,
>>>>>>
>>>>>>       Exists some problem/bug with multiple configs in snort 2.9.7.5?? I
>>>>>> have updated one of my sensors to this release and multiple configs
>>>>>> doesn't works ... Always use the first config file defined in config
>>>>>> binding section.
>>>>>
>>>>> https://www.snort.org/faq/how-do-i-ask-a-good-question-on-the-snort-list
>>>>>
>>>>> you have given us nothing to work with... we can't even make a start at
>>>>> WAGs...
>>>>>
>>>> Ok, I have attached all config files implied plus the output of "snort -c
>>>> snort.conf -T".
>>>>
>>>> As you can see in the output, I have defined a different logdir for both
>>>> configs, but snort output only "sees" the default value "/var/log/snort"
>>>> ...
>>>> For bpf_filter options is the same. I need to define different bpf
>>>> filters
>>>> for both configs, but bpf_filter option is no t read by snort.
>> logdir is not configurable by policy (same for most config options).  Check
>> here:
>>
>> http://manual.snort.org/node25.html#SECTION003102100000000000000
> Them the only options configurable in multiple configs (apart of
> define rules and vars) are these:
>
> config checksum_drop
> config disable_decode_alerts
> config disable_decode_drops
> config disable_ipopt_alerts
> config disable_ipopt_drops
> config disable_tcpopt_alerts
> config disable_tcpopt_drops
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_experimental_drops
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_obsolete_drops
> config disable_ttcp_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_ttcp_drops
>
> ??
>
> But If I remember well, in previous snort versions it would be
> possible to configure logdir and bpf filter file for every multiple
> config ... Isn't it??
Not that I recall.
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list