Snort mailing list archives
Re: a few questions...
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 5 Jul 2013 18:35:33 -0400
On Fri, Jul 5, 2013 at 5:56 PM, waldo kitty <wkitty42 () windstream net> wrote:
in response to another's query about how to compile the so dynamic rules, i set off to test my theory and understanding... i completed my task and have an executable snort 2.9.5 with what appears to be compiled so dynamic rules from snapshot-2.9.4.6... this snort was compiled "straight"... in other words, nothing fancy... only the following... ./configure make make install so there's a bit of background... if it is not complete enough, please ask me for additional information... now to my couple of questions... 1. i do have 14 compiled so dynamic rules files in my lib directory. snort does recognize them and appears to load them as can be seen in the execution output attached below. the question is why does snort report "0 Dynamic rules" when it is initializing the rule chains? there /are/ 72 rules stubs in the so_rules directory and they were created from the compiled rules by snort's --dump-dynamic-rules option... did i miss a change in the so_rules/src/Makefile other than changing the SNORT_VERSION entry?
Those are dynamically activated rules as opposed to dynamically loaded rules. Check here: http://manual.snort.org/node29.html#SECTION00421000000000000000 http://manual.snort.org/node29.html#SECTION00426000000000000000
2. when i terminate snort, the "Packet I/O Totals" count of processed doesn't make sense. it says 4054 received and analyzed but the "Breakdown by protocol" says there were 4057. where did the extra three packets come from? it also reports 125 "Other" packets. how can i find out what they are or were? They are certain rebuilt packets counted here:
S5 G 2: 3 ( 0.074%)
Check here:
http://manual.snort.org/node9.html#SECTION00273000000000000000
I guess that should also state that packets flushed at shutdown are counted
there as well.
all the output from the execution is attached below (snort_execution.txt)
and my snort.conf is attached after that (snort_conf.txt)...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- a few questions... waldo kitty (Jul 05)
- Re: a few questions... Russ Combs (Jul 05)
- Re: a few questions... waldo kitty (Jul 05)
- Re: a few questions... Joel Esler (Jul 05)
- Re: a few questions... waldo kitty (Jul 06)
- Re: a few questions... Russ Combs (Jul 08)
- Re: a few questions... waldo kitty (Jul 09)
- Re: a few questions... waldo kitty (Jul 05)
- Re: a few questions... Russ Combs (Jul 05)