Snort mailing list archives
Re: Modifying Rules Works One Direction, but Not T'Other
From: Doug Burks <doug.burks () gmail com>
Date: Sat, 29 Nov 2014 15:13:20 -0500
What specific anomalies are you referring to? I see some classification.config warnings and a Barnyard error (which is normal since Barnyard is only updating a database table and not processing any actual unified2 data). I'm not seeing any critical problems there. I'm pretty sure we've gone beyond the scope of this Snort mailing list and should move this conversation to the Security Onion mailing list. As I mentioned previously, you don't have to have a Google account: You should also be able to use our Google Group as a standard mailing list just like this Snort mailing list. Send email to security-onion () googlegroups com from your existing non-Google email account you're using here. You'll receive replies at the same non-Google email account. At that point, it's really no different than using this Snort mailing list. On Sat, Nov 29, 2014 at 3:04 PM, colony.three <colony.three () protonmail ch> wrote:
As well, I'm seeing some anomolies when running rule-update. I just took it as growing-pains, but maybe this is not normal. I've had to reinstall SecurityOnion at least 7 times for various reasons, and it's always behaved in the ways I've described in this thread. # rule-update Backing up current local_rules.xml file. Cleaning up local_rules.xml backup files older than 30 days. Backing up current downloaded.rules file before it gets overwritten. Cleaning up downloaded.rules backup files older than 30 days. Backing up current local.rules file before it gets overwritten. Cleaning up local.rules backup files older than 30 days. Running PulledPork. http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checking latest MD5 for emerging.rules.tar.gz.... They Match Done! Prepping rules from emerging.rules.tar.gz for work.... Done! Reading rules... Generating Stub Rules.... An error occurred: WARNING: classification.config(9) Duplicate classification "default-login-attempt"found, ignoring this line An error occurred: WARNING: classification.config(20) Duplicate classification "non-standard-protocol"found, ignoring this line An error occurred: WARNING: classification.config(27) Duplicate classification "shellcode-detect"found, ignoring this line An error occurred: WARNING: classification.config(29) Duplicate classification "string-detect"found, ignoring this line An error occurred: WARNING: classification.config(36) Duplicate classification "suspicious-filename-detect"found, ignoring this line An error occurred: WARNING: classification.config(38) Duplicate classification "suspicious-login"found, ignoring this line An error occurred: WARNING: classification.config(40) Duplicate classification "system-call-detect"found, ignoring this line An error occurred: WARNING: classification.config(42) Duplicate classification "tcp-connection"found, ignoring this line An error occurred: WARNING: classification.config(44) Duplicate classification "trojan-activity"found, ignoring this line An error occurred: WARNING: classification.config(48) Duplicate classification "unusual-client-port-connection"found, ignoring this line An error occurred: WARNING: classification.config(50) Duplicate classification "web-application-activity"found, ignoring this line An error occurred: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules. Done Reading rules... Reading rules... Modifying Sids.... Done! Processing /etc/nsm/pulledpork/enablesid.conf.... Modified 0 rules Done Processing /etc/nsm/pulledpork/dropsid.conf.... Modified 0 rules Done Processing /etc/nsm/pulledpork/disablesid.conf.... Modified 17 rules Done Setting Flowbit State.... Enabled 37 flowbits Done Writing /etc/nsm/rules/downloaded.rules.... Done Generating sid-msg.map.... Done Writing v1 /etc/nsm/rules/sid-msg.map.... Done Writing /var/log/nsm/sid_changes.log.... Done Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----16740 Dropped Rules:----0 Disabled Rules:---3867 Total Rules:------20607 No IP Blacklist Changes Done Please review /var/log/nsm/sid_changes.log for additional details Fly Piggy Fly! Updating Snorby's sig_reference table Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/nsm/barnyard2-snorby/barnyard2.conf" : Duplicate classification "default-login-attempt"found, ignoring this line : Duplicate classification "non-standard-protocol"found, ignoring this line : Duplicate classification "shellcode-detect"found, ignoring this line : Duplicate classification "string-detect"found, ignoring this line : Duplicate classification "suspicious-filename-detect"found, ignoring this line : Duplicate classification "suspicious-login"found, ignoring this line : Duplicate classification "system-call-detect"found, ignoring this line : Duplicate classification "tcp-connection"found, ignoring this line : Duplicate classification "trojan-activity"found, ignoring this line : Duplicate classification "unusual-client-port-connection"found, ignoring this line : Duplicate classification "web-application-activity"found, ignoring this line +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ WARNING: Ignoring bad line in SID file: 'v1' Barnyard2 spooler: Event cache size set to [2048] Log directory = /etc/nsm/barnyard2-snorby INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second [SignatureReferencePullDataStore()]: No Reference found in database ... database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = 127.0.0.1 database: user = root database: database name = snorby database: sensor name = hydra:NULL database: sensor id = 1 database: sensor cid = 9 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "alert" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 333) TCL |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com> ERROR: Unable to open directory '' (No such file or directory) ERROR: Unable to find the next spool file! =============================================================================== Record Totals: Records: 0 Events: 0 (0.000%) Packets: 0 (0.000%) Unknown: 0 (0.000%) Suppressed: 0 (0.000%) =============================================================================== Packet breakdown by protocol (includes rebuilt packets): ETH: 0 (0.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 0 (0.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 0 =============================================================================== Restarting Barnyard2. Restarting: hydra-eth0 * stopping: barnyard2-1 (spooler, unified2 format) [ OK ] * starting: barnyard2-1 (spooler, unified2 format) [ OK ] Restarting IDS Engine. Restarting: hydra-eth0 * stopping: snort-1 (alert data) [ OK ] * starting: snort-1 (alert data)
-- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com Last day to register for 3-Day Training Class in Augusta GA is 12/11! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 27)
- <Possible follow-ups>
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 27)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Joel Esler (jesler) (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Joel Esler (jesler) (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 29)
- Re: Modifying Rules Works One Direction, but Not T'Other Doug Burks (Nov 30)
- Re: Modifying Rules Works One Direction, but Not T'Other colony.three (Nov 30)