Is it because with the #2 line, your output is to console? "-A console", remember command line overrides the snort.conf output lines.<div><br></div><div>J<br><br><div class="gmail_quote">On Tue, Nov 30, 2010 at 7:02 PM, Jun Wan <span dir="ltr"><<a href="mailto:junwei_wan@...125...">junwei_wan@...125...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">



<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial">Hi,</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="3" face="Arial"><font style="font-size:10pt" size="2">BASE is not maintained, as well as it's lack of docs, so I choose Snort Report (SR).  I have got lots of help from David Gullett, David has done a wonderful job,  thanks David.</font></font></span></div>

<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial">Two issues on <strong><strong>Snort2.8.6.0</strong> with SR 1.3</strong> are very <strong>strange</strong>, I thought you guys may be interested to know, please see the followings:</font></span></div>

<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial"><strong>1.)</strong> If I do following commands:</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font face="Arial"><span><font face="Arial">sudo</font></span> /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0<br>sudo /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo</font></span></div>

<div dir="ltr" align="left"><span><font face="Arial"> </font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">The results: the activated rules on emerging.conf and settings on threshold.conf <strong><font size="4">are</font></strong> <strong><font size="4">not</font> <font size="4">working,</font></strong> but the SR is working, snort is running with VRT rules <font size="4"><strong>only</strong></font> (<strong>not </strong>running ET rules&threshold.conf )</font></span></div>

<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"><strong>2.) or </strong>If I do the following command:</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font size="2" face="Arial"> sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -A console </font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">The results: the activated rules on emerging.conf and settings on threshold.conf <font size="4"><strong>are working,</strong></font> but the SR is <strong><font style="font-size:12pt" size="3">not working </font></strong>(no data), and snort is running with VRT rules <font size="4"><strong>and</strong></font> ET rules <font style="font-size:12pt" size="3"><strong>and</strong> </font>threshold.conf .</font></span></div>

<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">Same issues happen to Snort 2.9.0 with SR1.3.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">I would like to solve these issues before I put Snort 2.8.6 &2.9.0 with SR 1.3 into our live network.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"> </font></span><span><font color="#0000ff" size="2" face="Arial"></font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">Any information/idea/direction would be highly appreciated.</font></span></div>
<div dir="ltr" align="left"><span></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">Regards</font></span></div>
<div dir="ltr" align="left"><span></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">John</font> </span></div>                                     </div>

</blockquote></div><br><br clear="all"><br>-- <br>Joel Esler<div><a href="http://blog.joelesler.net" target="_blank">http://blog.joelesler.net</a></div><br>
</div>