[Snort-users] Does multiple configs works with snort 2.9.7.5?

C. L. Martinez carlopmart at ...11827...
Tue Sep 1 09:59:26 EDT 2015


On Tue, Sep 1, 2015 at 1:56 PM, Russ <rucombs at ...589...> wrote:
>
>
> On 9/1/15 9:41 AM, C. L. Martinez wrote:
>>
>> On Tue, Sep 1, 2015 at 1:37 PM, Russ <rucombs at ...589...> wrote:
>>>
>>>
>>> On 9/1/15 8:56 AM, C. L. Martinez wrote:
>>>>
>>>> On Mon, Aug 31, 2015 at 9:50 AM, C.L. Martinez <carlopmart at ...11827...>
>>>> wrote:
>>>>>
>>>>> On 08/31/2015 09:11 AM, waldo kitty wrote:
>>>>>>
>>>>>> On 08/30/2015 11:02 AM, C.L. Martinez wrote:
>>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>>       Exists some problem/bug with multiple configs in snort
>>>>>>> 2.9.7.5?? I
>>>>>>> have updated one of my sensors to this release and multiple configs
>>>>>>> doesn't works ... Always use the first config file defined in config
>>>>>>> binding section.
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://www.snort.org/faq/how-do-i-ask-a-good-question-on-the-snort-list
>>>>>>
>>>>>> you have given us nothing to work with... we can't even make a start
>>>>>> at
>>>>>> WAGs...
>>>>>>
>>>>> Ok, I have attached all config files implied plus the output of "snort
>>>>> -c
>>>>> snort.conf -T".
>>>>>
>>>>> As you can see in the output, I have defined a different logdir for
>>>>> both
>>>>> configs, but snort output only "sees" the default value
>>>>> "/var/log/snort"
>>>>> ...
>>>>> For bpf_filter options is the same. I need to define different bpf
>>>>> filters
>>>>> for both configs, but bpf_filter option is no t read by snort.
>>>
>>> logdir is not configurable by policy (same for most config options).
>>> Check
>>> here:
>>>
>>> http://manual.snort.org/node25.html#SECTION003102100000000000000
>>
>> Them the only options configurable in multiple configs (apart of
>> define rules and vars) are these:
>>
>> config checksum_drop
>> config disable_decode_alerts
>> config disable_decode_drops
>> config disable_ipopt_alerts
>> config disable_ipopt_drops
>> config disable_tcpopt_alerts
>> config disable_tcpopt_drops
>> config disable_tcpopt_experimental_alerts
>> config disable_tcpopt_experimental_drops
>> config disable_tcpopt_obsolete_alerts
>> config disable_tcpopt_obsolete_drops
>> config disable_ttcp_alerts
>> config disable_tcpopt_ttcp_alerts
>> config disable_ttcp_drops
>>
>> ??
>>
>> But If I remember well, in previous snort versions it would be
>> possible to configure logdir and bpf filter file for every multiple
>> config ... Isn't it??
>
> Not that I recall.
>

Uhmm .. Then I am on a mistake.

Thanks Russ ... I will reconfigure this sensor ...




More information about the Snort-users mailing list