Snort mailing list archives

Re: Why these flowbits errors are returned??

From: "C. L. Martinez" <carlopmart () gmail com>
Date: Fri, 30 Nov 2012 07:15:57 +0000

On Thu, Nov 29, 2012 at 6:52 PM, waldo kitty <wkitty42 () windstream net> wrote:

On 11/29/2012 11:30, JJC wrote:

Yes PP should fix it, no snort won't barf, rules using never set flowbits throw a warn similar to the one below.

Was PP used, if so then I would need to see the configs to understand why it was enabled etc....


the OP, C. L. Martinez, stated that they do use pulledpork.pl... hopefully they
will see this and provide the necessary information to find the problem on their
installation...


Sure. My PP config is really simple:

#
# Download rules url
#
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<code>
rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open

# Ignored rules
ignore=deleted.rules,experimental.rules,local.rules

# What is our temp path, be sure this path has a bit of space for rule
# extraction and manipulation, no trailing slash
temp_path=/tmp

# Output path for download rules
out_path=/data/config/etc/idpsnort01/rules

# Location for sid-msg.map file
sid_msg=/data/config/etc/idpsnort01/sid-msg.map

# Defined path for sid changelog file
sid_changelog=/tmp/sid_changes.log

# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/data/config/etc/idpsnort01/dynamicrules

# Define your distro, this is for the precompiled shared object libs!
distro=FreeBSD-9-0

# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/bin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/data/config/etc/idpsnort01/snort.conf

# Define the path to the pid files of any running process that you want to
# HUP after PP has completed its run.
pid_path=/var/run/snort_em5.pid


####### Remember, a number of these values are optional.. if you don't
####### need to process so_rules, simply comment out the so_rule section
####### you can also specify -T at runtime to process only GID 1 rules.

version=0.6.0

As you can see, I have not activated disablesid.conf, enablesid.conf, etc.

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
TUNE You got it built. Now make it sing. Tune shows you how.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Why these flowbits errors are returned?? C. L. Martinez (Nov 28)
- Re: Why these flowbits errors are returned?? Joel Esler (Nov 29)
  - Re: Why these flowbits errors are returned?? C. L. Martinez (Nov 29)
  - Re: Why these flowbits errors are returned?? waldo kitty (Nov 29)
    - Re: Why these flowbits errors are returned?? Castle, Shane (Nov 29)
    - Re: Why these flowbits errors are returned?? JJC (Nov 29)
    - Re: Why these flowbits errors are returned?? waldo kitty (Nov 29)
    - Re: Why these flowbits errors are returned?? C. L. Martinez (Nov 29)
    - Re: Why these flowbits errors are returned?? waldo kitty (Nov 30)
    - Re: Why these flowbits errors are returned?? carlopmart (Dec 01)
    - Re: Why these flowbits errors are returned?? JJC (Dec 01)
    - Re: Why these flowbits errors are returned?? JJC (Dec 01)