Snort mailing list archives

Re: Snort Stop, reload & restarting

From: "Render-Vue" <sales () render-vue com>
Date: Sat, 8 Dec 2001 10:56:45 +1300

I posted:-

Just testing some bits and pieces and have the start up as:-

snort -c /etc/snort/snort.conf -v -D -A none

Snort dumps to syslog and reports for now are coming through logcheck till I
get it fine tuned to what I want - deleted the IIS rules and Cold-Fusion
rules and went to restart/reload snort doing so caused snort to come back
with an error message.<<

Thanks to all who replied off line - I have the problem sorted now

Because SNORT was running at default as Daemon I wasn't calling the full
path when trying to reload or restart - duuhhh

Should have RTM first...

Thanks again to everyone...

While I'm here is there a definative guide to what the various rules mean
for example:-

Dec  7 13:38:19 ns snort: [1:1156:1] WEB-MISC apache DOS attempt
[Classification: Attempted Denial of Service] [Priority: 6]: {TCP}
203.96.108.198:1248 -> xxx.xxx.xxx.xxx:80

Dec  7 13:17:56 ns snort: [1:657:2] SMTP chameleon overflow [Classification:
Attempted Administrator Privilege Gain] [Priority: 10]: {TCP}
206.132.79.221:3450 -> xxx.xxx.xxx.xxx:25

Dec  7 11:06:18 ns snort: [1:884:2] WEB-CGI formmail access [Classification:
Attempted Information Leak] [Priority: 3]: {TCP} 168.191.68.32:3538 ->
xxx.xxx.xxx.xxx:80

Dec  7 02:57:07 ns snort: [1:1288:1] WEB-FRONTPAGE /_vti_bin/ access
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP}
208.63.33.200:1206 -> xxx.xxx.xxx.xxx:80

Dec  7 02:17:56 ns snort: [1:896:1] WEB-CGI wayboard access [Classification:
Attempted Information Leak] [Priority: 3]: {TCP} 202.89.128.85:30405 ->
xxx.xxx.xxx.xxx:80

etctera etcetera...

Most of the rules are self explainatory but it would be nice to see
something come up in the logs and be able to see if it's worth worrying
about or if it can be rem'd out of the rule sets.

Regards

Chae


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Stop, reload & restarting Render-Vue (Dec 06)
- Re: Snort Stop, reload & restarting John Sage (Dec 06)
- <Possible follow-ups>
- RE: Snort Stop, reload & restarting Mark Forsyth (Dec 06)
- Re: Snort Stop, reload & restarting Render-Vue (Dec 07)
  - MySQL Litter Frank Reid (Dec 07)