[Snort-users] (no subject)

Dan O'Brien pdobrien3 at gmail.com
Mon Feb 5 20:41:21 EST 2018


And I have multiple snort.u2.xxxxxxxx files in /var/log/snort.  My computer slowed to a crawl from processing the any-to-any rules.  Once I commented it out it is back to running normally.  Base just must not be making the connection?

Thanks,
Dan
(770) 624-1010
pdobrien3 at gmail.com

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6

Sent from my iPad

> On Feb 5, 2018, at 11:57 AM, wkitty42 at windstream.net wrote:
> 
>> On 02/05/2018 11:38 AM, Paul O'Brien wrote:
>> I typically get 50-100 alerts a day until 2 days ago. 2 days ago I changed
>> the vlan configuration on my router. It was configured improperly. I have
>> checked to make sure everything is loaded and running. Guess I need to look
>> into how to make an any to any alert. I remotely remember testing something
>> similar during setup.
> 
> any-to-any rules are easy... i use the following local-test.rules for initial testing to make sure snort is seeing traffic...
> 
> 
> ----->8 snip 8<-----
> #
> # The rules in this file are only to test a snort installation to see if it is seeing any traffic at all.
> # These rules should not be used all the time. Once tested and working, this rule file should be commented
> # out in your snort.conf so that it is not used.
> #
> #------------------
> # LOCAL TEST RULES
> #------------------
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; classtype:tcp-connection; sid:1; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; classtype:tcp-connection; sid:2; rev:1;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; classtype:unknown; sid:3; rev:1;)
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; classtype:unknown; sid:4; rev:1;)
> alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; classtype:misc-activity; sid:5; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; classtype:misc-activity; sid:6; rev:1;)
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; classtype:icmp-event; sid:7; rev:1;)
> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; classtype:icmp-event; sid:8; rev:1;)
> ----->8 snip 8<-----
> 
> 
> 
> -- 
> NOTE: No off-list assistance is given without prior approval.
>       *Please keep mailing list traffic on the list unless*
>       *a signed and pre-paid contract is in effect with us.*
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180205/5907b31e/attachment-0001.html>


More information about the Snort-users mailing list