Snort mailing list archives
Re: Unknown Sig Name ???
From: Susan Kay Coulter <skc () lanl gov>
Date: Fri, 12 Oct 2001 09:28:20 -0600
I got this error when I had written a rule with a syntax error in the msg option. My rule said something like ... alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:BadRule"; uri ... Alerts from this rule showed up as "Unknown Signature Name". I was missing the leading quote on the msg option. After fixing the syntax error, the signature name showed up correctly.
Subject: Re: [Snort-users] Unknown Sig Name ???Hash: SHA1 Can anybody give me some clues on how to debug this message I am getting in acid? Is it a problem with classification.config? I am running snort 1.8.1 on one box with a local mysql database and snort1.8.1 on another box which is logging alerts to the first boxen's database. Thanks in advance... Scott Duncan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7xKvvk2DKE9dAYTcRAkSOAKCHlO3xEuF8+Pfv5OSnnWuETj2+lwCeKuDI zCMirnrbE5bYtKyQcyGGmEQ= =saqf -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/Cytech Security Consulting Internet Security Specialists http://www.cytechconsult.com/ voice: 775-751-5267 --__--__-- Message: 12 Date: Thu, 11 Oct 2001 17:02:22 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: Jake S <jseitz () firstam com> cc: Snort list <snort-users () lists sourceforge net> Subject: Re: [Snort-users] One question On Thu, 11 Oct 2001, Jake S wrote:Is there a doc that gives a rough idea of what type of hardware to use in a Y network according to Z amount of traffic? My boss is looking for something to base our hardware purchasing on so that is why I ask.Marty sent this info over to the list earlier this month. It's the closest thing we've got to a definitive guide ATM. --- 4) Hardware/OS recommendations Ok, here are the guidelines and some parameters. Intrusion detection is turning into one of the most high performance production computing fields that is in wide deployment today. If you think about the requirements of a NIDS sensor and the constraints that they are required to operate within, you'll probably start to realize that it's not too hard to find the performance wall with a NIDS these days. The things a NIDS needs are: MIPS (Fast CPU) RAM (More is *always* better) I/O (Wide, fast busses and high performance NIC) AODS (Acres Of Disk Space) A NIDS also needs to be pretty quick internally at doing its job. Snort's seen better days in that regard (when 1.5 came out the architecture was a lot cleaner) but it's still considered to be one of the performance leaders available. As for OS selection, use what you like. When we implement Data Acquisition Plugin's in Snort 2.0 this may become more of a factor, but for now I'm hearing about a lot of people seeing alot of success using Snort on Solaris, Linux, *BSD and Windows 2000. Personally, I develop Snort on FreeBSD and Sourcefire uses OpenBSD for our sensor appliance OS, but I've been hearing some good things about the RedHat Turbo Packet interface (which would require mods for Snort to use, not to mention my general objection to RedHat's breaking stuff all the time). --- Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
-- Susan Coulter Network Security Team CCN-5 Network Engineering Los Alamos National Laboratory voice: (505) 667-8425 fax: (505) 665-7793 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Unknown Sig Name ??? roman (Oct 11)
- hits to pare down snort alerts james (Oct 11)
- Re: hits (hints) to pare down snort alerts james (Oct 11)
- <Possible follow-ups>
- Re: Unknown Sig Name ??? sduncan (Oct 11)
- Re: Unknown Sig Name ??? Susan Kay Coulter (Oct 12)
- Reload rules w/o restarting ? james (Oct 12)
- Re: Reload rules w/o restarting ? Erek Adams (Oct 12)
- Reload rules w/o restarting ? james (Oct 12)
- Re: Unknown Sig Name ??? roman (Oct 22)
- hits to pare down snort alerts james (Oct 11)