Snort mailing list archives

Previous By Date Next
Previous By Thread Next

"Unknown sensor"

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Sat, 8 Feb 2003 17:22:43 -0600
I'm running snort 1.90 (Build 290) on FreeBSD 4.7 with mysql 3.23.55 and
ACID .

Every time I restart snort, an "unknown" sensor appears.  From that
point on, all alerts are logged under that sensor, not the "real" one.
I had an unknown sensor that was sid 2, and I deleted it from the
database.  When I restarted snort today, this sid 3 showed up, and all
alerts to sid 1 stopped.

Here's the output from SELECT * FROM sensor; (I've obfuscated the real
hostname.  And this will probably be all fubar when posted, but I hope
it's legible enough to be helpful.)

mysql> SELECT * from sensor;
+-----+-----------------------------+-----------+--------+--------+-----
-----+----------+
| sid | hostname                    | interface | filter | detail |
encoding | last_cid |
+-----+-----------------------------+-----------+--------+--------+-----
-----+----------+
|   1 | xxxxxxxxxx.utdallas.edu:xl0 | xl0       | NULL   |      1 |
0 |   670288 |
|   3 | unknown:xl0                 | xl0       | NULL   |      1 |
0 |    73833 |
+-----+-----------------------------+-----------+--------+--------+-----
-----+----------+
2 rows in set (0.01 sec)

Can anyone tell me why this is happening?  Have I got something wrong in
snort.conf?  My.cnf?  Somewhere else?  This is a promiscuous, ip-less
interface.  The hostname is associated with the management interface,
not this one.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member 


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: