![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Why these flowbits errors are returned??
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Fri, 30 Nov 2012 07:15:57 +0000
On Thu, Nov 29, 2012 at 6:52 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 11/29/2012 11:30, JJC wrote:Yes PP should fix it, no snort won't barf, rules using never set flowbits throw a warn similar to the one below. Was PP used, if so then I would need to see the configs to understand why it was enabled etc....the OP, C. L. Martinez, stated that they do use pulledpork.pl... hopefully they will see this and provide the necessary information to find the problem on their installation...
Sure. My PP config is really simple: # # Download rules url # rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<code> rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open # Ignored rules ignore=deleted.rules,experimental.rules,local.rules # What is our temp path, be sure this path has a bit of space for rule # extraction and manipulation, no trailing slash temp_path=/tmp # Output path for download rules out_path=/data/config/etc/idpsnort01/rules # Location for sid-msg.map file sid_msg=/data/config/etc/idpsnort01/sid-msg.map # Defined path for sid changelog file sid_changelog=/tmp/sid_changes.log # What path you want the .so files to actually go to *i.e. where is it # defined in your snort.conf, needs a trailing slash sorule_path=/data/config/etc/idpsnort01/dynamicrules # Define your distro, this is for the precompiled shared object libs! distro=FreeBSD-9-0 # Path to the snort binary, we need this to generate the stub files snort_path=/usr/local/bin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files config_path=/data/config/etc/idpsnort01/snort.conf # Define the path to the pid files of any running process that you want to # HUP after PP has completed its run. pid_path=/var/run/snort_em5.pid ####### Remember, a number of these values are optional.. if you don't ####### need to process so_rules, simply comment out the so_rule section ####### you can also specify -T at runtime to process only GID 1 rules. version=0.6.0 As you can see, I have not activated disablesid.conf, enablesid.conf, etc. ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: TUNE You got it built. Now make it sing. Tune shows you how. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Why these flowbits errors are returned?? C. L. Martinez (Nov 28)
- Re: Why these flowbits errors are returned?? Joel Esler (Nov 29)
- Re: Why these flowbits errors are returned?? C. L. Martinez (Nov 29)
- Re: Why these flowbits errors are returned?? waldo kitty (Nov 29)
- Re: Why these flowbits errors are returned?? Castle, Shane (Nov 29)
- Re: Why these flowbits errors are returned?? JJC (Nov 29)
- Re: Why these flowbits errors are returned?? waldo kitty (Nov 29)
- Re: Why these flowbits errors are returned?? C. L. Martinez (Nov 29)
- Re: Why these flowbits errors are returned?? waldo kitty (Nov 30)
- Re: Why these flowbits errors are returned?? carlopmart (Dec 01)
- Re: Why these flowbits errors are returned?? JJC (Dec 01)
- Re: Why these flowbits errors are returned?? JJC (Dec 01)
- Re: Why these flowbits errors are returned?? Joel Esler (Nov 29)