Snort mailing list archives
Snort won't generate alerts with single snort.rules file
From: Anacleto Junior <suporte.anacleto () gmail com>
Date: Fri, 28 Feb 2014 14:19:56 -0300
Hi everyone, Sorry for the poor english but I will try my best. I will describe my problems after upgrading Snort rules. Debian Linux 6.0.8 (kernel 2.6.32-5 x86_64) Snort version: Version 2.9.6.0 GRE (Build 47) Snort rules version: 2.9.6.0 pulledpork 0.7.0 barnyard2 2.1.13 build 327 I was using Snort v.2.9.5.6 with snortrules-snapshot-2956 for a good time. I have upgraded to the latest version available and some issues occurred. If this is not the right place for asking, sorry for this. I will appreciate if someone can point me the right place to ask. When I run snort with this command: /usr/local/bin/snort -A console -u snort -g snort -c /etc/snort/eth1/snort_eth1.conf -i eth1 I can't get alerts and none events are registered. This is the output after I finish him (ctrl+c): I got some errors like: WARNING: /etc/snort/rules/snort.rules(15678) GID 1 SID 24017 in rule duplicates previous rule. Ignoring old rule. But it moves on... 4539 Snort rules read (so I assume it is reading the 4208 detection rules 0 decoder rules 4 preprocessor rules 4212 Option Chains linked into 185 Chain Headers 0 Dynamic rules Snort ran for 0 days 0 hours 3 minutes 10 seconds Pkts/min: 39481 Pkts/sec: 623 Packet I/O Totals: Received: 118443 Analyzed: 118443 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 Breakdown by protocol (includes rebuilt packets): Eth: 118567 (100.000%) VLAN: 0 ( 0.000%) IP4: 118567 (100.000%) Frag: 0 ( 0.000%) ICMP: 411 ( 0.347%) UDP: 4682 ( 3.949%) TCP: 111664 ( 94.178%) Here's the problem, this is the info that got me concerned: =============================================================================== *Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%)* Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 82225 ( 69.422%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 36218 ( 30.578%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) All of this traffic was not even registered. I think that I was supposed to get some alerts because of having a single file with all rules (pulledpork rule management). Isn't suppose to activate all rules by default? This is my snort.conf file: http://pastebin.com/YWABcKsF Thanks in advance. -- Anacleto JĂșnior Analista de TI e Redes Linux User: #447388
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort won't generate alerts with single snort.rules file Anacleto Junior (Feb 28)
- Message not available
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file waldo kitty (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file Michael Wisniewski (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)
- Message not available
- Re: Snort won't generate alerts with single snort.rules file Joel Esler (jesler) (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file Joel Esler (jesler) (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file SnortFan (Mar 11)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 12)
- Re: Snort won't generate alerts with single snort.rules file SnortFan (Mar 12)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 13)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)