Snort mailing list archives
Re:Snort-1.8.7 detection problems
From: chae <chae () hyper net nz>
Date: Tue, 23 Jul 2002 15:21:25 +1200
Hi Yah Chris, Cobalt RaQ3 and yes same behavior.What I did last night was completely remove all traces of snort 8.1.7.i386 from the server and started afresh again.
This time with 1.8.7 all I got was netmask errors <sigh> nothing has changed in that respect since I got the server and it's never been changed or modified in the snort.conf and in the snortd it was being called correctly as INTERFACE=eth0. Anyway tried again and this time I was getting PCAP & MTU error - so after that I gave up after that.
What I then did was work my way up through the different versions of the rpm's till I got to a version that wouldn't work, got as far as version 1.8.4 before retiring to bed...checked the logs this morning and version 1.8.4 is working as it should be - yahooo.
As there's no rpm for version 1.8.6 I can't try that out so I might do a manual install from the tarball.
But to answer your question what I was seeing was with an old version 1.8.1 when the rulesets were updated all snort reported on was ICMP, Virus and ICMP TTL's yet before it was working fine. So upgraded to 1.8.7 got that going and it was reporting the same. Now I have 1.8.4 installed and it's working fine with the latest rulesets.
Regards Chae =========================
> Hi Yah, > > Wojtek stated... > > "..Compilation, etc, seem to be ok. There's no different version of > pcap. Effect is that i get only icmp (not firewall problem) captured > packets. I can say that my previous version of snort had no problems > with tcp/icmp, but was similar problem with udp. This is not a problem > of sql too, because normal logging give the same. This is strange for > me that every version of snort has problems in my case with capturing > specific protocol. Any ideas will be appreciated." > > This is the same problem I've been plagued with, even after numerous > reinstalls, force installs and using the latest rule sets etc. > > I'd appreciate any suggestions also. OS Version? Do you see the same behavior from tcpdump? -- Chris Green <cmg () sourcefire com> Eschew obfuscation.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-1.8.7 detection problems Wojtek Sobola (Jul 20)
- <Possible follow-ups>
- RE: Snort-1.8.7 detection problems chae (Jul 20)
- Re: RE: Snort-1.8.7 detection problems Chris Green (Jul 22)
- Re:Snort-1.8.7 detection problems chae (Jul 22)
- Re: RE: Snort-1.8.7 detection problems Chris Green (Jul 22)
- Re: Snort-1.8.7 detection problems Wojciech Sobola (Jul 22)