Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Upgrading Rules Not Working and Now Totally Confused...

From: Chae <chae () hyper net nz>
Date: Thu, 08 Aug 2002 14:22:37 +1200
Hi Yah,
Right a while back I upgraded to 1.8.7 and it was giving grief on a Cobalt RaQ3.
Worked my way back through the various rpm's and found 1.8.4 worked as well as the original version 1.8.1
Now snort has been doing it's thing quite nicely for the last two weeks, I then decided to update the rule set (fingers and toes were crossed).
Installed the latest rules and modified the snort.conf to reflect the 1.8.4 snort conf, ran snort for a few days and all it would report back on was ICMP & virus results. Okay same problem as before, replaced the rules with the previous ruleset and snort conf and it's been running okay again.
Why won't the new rule set run with version 1.8.4 the biggest difference in the 1.8.4 & the 1.8.7 snort.conf is in section one var HTTP_PORTS 80 & var ORACLE_PORTS 1521 

So to recap...

using 1.8.4 with the 1.8.4 ruleset and snort.conf works okay & reports okay
using 1.8.4 with the latest ruleset & snort.conf it only reports on ICMP's & Virus attacks nothing else copy the 1.8.4 ruleset back and the 1.8.4 snort.conf and it works and reports again use the latest ruleset with the 1.8.4 snort.conf and a large number of errors come from the rules stating can't find port or wrong port and snort doesn't run.
On the latest rule set the snort.conf has only had the var HOME_NET and the preprocessor portscan-ignorehosts changed, the logging method changed and the WIN IIS & Cold fusion rulesets commented out, those variables were the same as those in the 1.8.4 conf nothing else was changed. 

Regards

Chae




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: