Snort mailing list archives
Re: MySQL support for Snort 2.9.4
From: Kaya Saman <kayasaman () gmail com>
Date: Tue, 11 Dec 2012 21:47:22 +0000
On 12/11/2012 09:41 PM, Joel Esler wrote:
On Tue, Dec 11, 2012 at 09:26:55PM +0000, Kaya Saman wrote:On 12/11/2012 07:11 PM, Joel Esler wrote:You aren't generating any alerts because of: On Dec 11, 2012, at 2:06 PM, Kaya Saman <kayasaman () gmail com <mailto:kayasaman () gmail com>> wrote:Bad Chk Sum: 9421212 ( 50.311%)Try adding -k none to your Snort command line and see if you get anything logged that way.Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%)See, nothing alerted. Also, you might want to use PulledPork to manage your ruleset, as it looks like you have a bunch of unresolved flowbit issues.Thanks Joel, I used PulledPork but it didn't get any of the *.rules files that are in the tar.gz file. I manually added them in then ran PP again out of which I got: Reading rules... Reading rules... Reading rules... Setting Flowbit State.... Enabled 23 flowbits Enabled 1 flowbits Done Writing /etc/snort/rules/snort.rules.... Done Writing /etc/snort/rules/so_rules.rules.... Done Generating sid-msg.map.... Done Writing /etc/snort/sid-msg.map.... Done Writing /var/log/sid_changes.log.... Done Rule Stats.... New:-------0 Deleted:---0 Enabled Rules:----16879 Dropped Rules:----0 Disabled Rules:---14849 Total Rules:------31728 Done I still get the flow bit errors as PP from above only enabled 24. In the log file I noticed that I got a bunch of "unkown message" entries so I don't know if that's got anything to do with it?It would help if you'd post the errors you received.
Sorry about that!
Unknown MSG (105:1)
Unknown MSG (105:2)
Unknown MSG (105:3)
Unknown MSG (105:4)
Unknown MSG (106:1)
Unknown MSG (106:2)
Unknown MSG (106:3)
Unknown MSG (106:4)
Unknown MSG (106:5)
Unknown MSG (112:1)
Unknown MSG (112:2)
Unknown MSG (112:3)
Unknown MSG (112:4)
Unknown MSG (119:1)
Unknown MSG (119:10)
Unknown MSG (119:11)
Unknown MSG (119:12)
Unknown MSG (119:13)
Unknown MSG (119:14)
Unknown MSG (119:15)
Unknown MSG (119:16)
Unknown MSG (119:17)
Unknown MSG (119:18)
Unknown MSG (119:19)
Unknown MSG (119:2)
Unknown MSG (119:20)
Unknown MSG (119:21)
Unknown MSG (119:22)
Unknown MSG (119:23)
Unknown MSG (119:24)
Unknown MSG (119:25)
Unknown MSG (119:26)
Unknown MSG (119:27)
Unknown MSG (119:28)
Unknown MSG (119:29)
Unknown MSG (119:3)
Unknown MSG (119:30)
Unknown MSG (119:31)
Unknown MSG (119:32)
Unknown MSG (119:4)
Unknown MSG (119:6)
Unknown MSG (119:7)
Unknown MSG (119:8)
Unknown MSG (119:9)
Unknown MSG (120:1)
Unknown MSG (120:10)
Unknown MSG (120:11)
Unknown MSG (120:2)
Unknown MSG (120:3)
Unknown MSG (120:4)
Unknown MSG (120:5)
Unknown MSG (120:6)
Unknown MSG (120:7)
Unknown MSG (120:8)
Unknown MSG (120:9)
Unknown MSG (122:1)
Unknown MSG (122:10)
Unknown MSG (122:11)
Unknown MSG (122:12)
Unknown MSG (122:13)
Unknown MSG (122:14)
Unknown MSG (122:15)
Unknown MSG (122:16)
Unknown MSG (122:17)
Unknown MSG (122:18)
Unknown MSG (122:19)
Unknown MSG (122:2)
Unknown MSG (122:20)
Unknown MSG (122:21)
Unknown MSG (122:22)
Unknown MSG (122:23)
Unknown MSG (122:24)
Unknown MSG (122:25)
Unknown MSG (122:26)
Unknown MSG (122:27)
Unknown MSG (122:3)
Unknown MSG (122:4)
Unknown MSG (122:5)
Unknown MSG (122:6)
Unknown MSG (122:7)
Unknown MSG (122:8)
Unknown MSG (122:9)
Unknown MSG (123:1)
Unknown MSG (123:10)
Unknown MSG (123:11)
Unknown MSG (123:12)
Unknown MSG (123:13)
Unknown MSG (123:2)
Unknown MSG (123:3)
Unknown MSG (123:4)
Unknown MSG (123:5)
Unknown MSG (123:6)
Unknown MSG (123:7)
Unknown MSG (123:8)
Unknown MSG (123:9)
Unknown MSG (124:1)
Unknown MSG (124:10)
Unknown MSG (124:11)
Unknown MSG (124:12)
Unknown MSG (124:13)
Unknown MSG (124:2)
Unknown MSG (124:3)
Unknown MSG (124:4)
Unknown MSG (124:5)
Unknown MSG (124:6)
Unknown MSG (124:7)
Unknown MSG (124:8)
Unknown MSG (125:1)
Unknown MSG (125:2)
Unknown MSG (125:3)
Unknown MSG (125:4)
Unknown MSG (125:5)
Unknown MSG (125:6)
Unknown MSG (125:7)
Unknown MSG (125:8)
Unknown MSG (125:9)
Unknown MSG (126:1)
Unknown MSG (126:2)
Unknown MSG (126:3)
Unknown MSG (128:1)
Unknown MSG (128:2)
Unknown MSG (128:3)
Unknown MSG (128:4)
Unknown MSG (128:5)
Unknown MSG (128:6)
Unknown MSG (128:7)
Unknown MSG (129:1)
Unknown MSG (129:10)
Unknown MSG (129:11)
Unknown MSG (129:12)
Unknown MSG (129:13)
Unknown MSG (129:14)
Unknown MSG (129:15)
Unknown MSG (129:16)
Unknown MSG (129:17)
Unknown MSG (129:18)
Unknown MSG (129:19)
Unknown MSG (129:2)
Unknown MSG (129:3)
Unknown MSG (129:4)
Unknown MSG (129:5)
Unknown MSG (129:6)
Unknown MSG (129:7)
Unknown MSG (129:8)
Unknown MSG (129:9)
Unknown MSG (131:1)
Unknown MSG (131:2)
Unknown MSG (131:3)
Unknown MSG (133:1)
Unknown MSG (133:10)
Unknown MSG (133:11)
Unknown MSG (133:12)
Unknown MSG (133:13)
Unknown MSG (133:14)
Unknown MSG (133:15)
Unknown MSG (133:16)
Unknown MSG (133:17)
Unknown MSG (133:18)
Unknown MSG (133:19)
Unknown MSG (133:2)
Unknown MSG (133:20)
Unknown MSG (133:21)
Unknown MSG (133:22)
Unknown MSG (133:23)
Unknown MSG (133:24)
Unknown MSG (133:25)
Unknown MSG (133:26)
Unknown MSG (133:27)
Unknown MSG (133:28)
Unknown MSG (133:29)
Unknown MSG (133:3)
Unknown MSG (133:30)
Unknown MSG (133:31)
Unknown MSG (133:32)
Unknown MSG (133:33)
Unknown MSG (133:34)
Unknown MSG (133:35)
Unknown MSG (133:36)
Unknown MSG (133:37)
Unknown MSG (133:38)
Unknown MSG (133:39)
Unknown MSG (133:4)
Unknown MSG (133:40)
Unknown MSG (133:41)
Unknown MSG (133:42)
Unknown MSG (133:43)
Unknown MSG (133:48)
Unknown MSG (133:49)
Unknown MSG (133:5)
Unknown MSG (133:50)
Unknown MSG (133:51)
Unknown MSG (133:52)
Unknown MSG (133:53)
Unknown MSG (133:54)
Unknown MSG (133:55)
Unknown MSG (133:56)
Unknown MSG (133:6)
Unknown MSG (133:7)
Unknown MSG (133:8)
Unknown MSG (133:9)
Unknown MSG (134:1)
Unknown MSG (134:2)
Unknown MSG (135:1)
Unknown MSG (135:2)
Unknown MSG (135:3)
Unknown MSG (136:1)
Unknown MSG (136:2)
Unknown MSG (137:1)
Unknown MSG (137:2)
Unknown MSG (139:1)
Unknown MSG (140:1)
Unknown MSG (140:10)
Unknown MSG (140:11)
Unknown MSG (140:12)
Unknown MSG (140:13)
Unknown MSG (140:14)
Unknown MSG (140:15)
Unknown MSG (140:16)
Unknown MSG (140:17)
Unknown MSG (140:18)
Unknown MSG (140:19)
Unknown MSG (140:2)
Unknown MSG (140:20)
Unknown MSG (140:21)
Unknown MSG (140:22)
Unknown MSG (140:23)
Unknown MSG (140:24)
Unknown MSG (140:25)
Unknown MSG (140:26)
Unknown MSG (140:27)
Unknown MSG (140:3)
Unknown MSG (140:4)
Unknown MSG (140:5)
Unknown MSG (140:6)
Unknown MSG (140:7)
Unknown MSG (140:8)
Unknown MSG (140:9)
Unknown MSG (141:1)
Unknown MSG (141:2)
Unknown MSG (141:3)
Unknown MSG (141:4)
Unknown MSG (141:5)
Unknown MSG (141:6)
Unknown MSG (141:7)
Unknown MSG (142:1)
Unknown MSG (142:2)
Unknown MSG (142:3)
Unknown MSG (142:4)
Unknown MSG (142:5)
Unknown MSG (142:6)
Unknown MSG (142:7)
Unknown MSG (143:1)
Unknown MSG (143:2)
Unknown MSG (143:3)
Unknown MSG (144:1)
Unknown MSG (144:2)
Unknown MSG (144:3)
Unknown MSG (145:1)
Unknown MSG (145:2)
Unknown MSG (145:3)
Unknown MSG (145:4)
Unknown MSG (145:5)
Unknown MSG (145:6)
Unknown MSG (2:1)
Are what I've seen currently.....
Using the -k none option as suggested previously I don't get any more 'Bad chck sum' errors but I still don't get anything logged either?Well if you are evaluating all the traffic, then you might not have anything for Snort to trigger off of. But let's keep checking to be sure.
Basically Snort should just listen to all traffic and report for anything hinky - running in IDS mode. I'm wondering if I should pull the Emerging Threats rules in again and use those as they worked before?
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
Regards, Kaya ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: MySQL support for Snort 2.9.4, (continued)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 JJC (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Russ Combs (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)