Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort 2.0 rc1 Observations

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Fri, 28 Mar 2003 10:29:16 -0700
I also experienced the exact same issues along with the other that I
mentioned but nobody has responded on yet.

It appears that none of the "config" statements in snort.conf work with this
new rc1 such as
config: disable_decode_alerts
config: disable_ttcp_alerts

Solution is:  take out the colon

config disable_decode_alerts
config disable_ttcp_alerts

The config: disable_ipopt_alerts does not seem to work with or without the
colon


-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Friday, March 28, 2003 9:17 AM
To: Kenneth G. Arnold
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.0 rc1 Observations


On Fri, 28 Mar 2003, Kenneth G. Arnold wrote:


Do the rules for 2.0 rc1 correspond to snortrules-current.tar.gz (Works

for

HEAD branch of CVS) on the snort site for future updating?


Not quite.  rc1 is from CVS HEAD, but -current is generated nightly.  rc1
was generated two-three days ago...  You may use those rules with no
issues, but...  Keep in mind the standard 'using bleeding edge CVS you may
get cut' rule.


I can understand how the wrong rules would explain the first two
situations.  Have the rules for writing passes to rules changed in this
version?  Have the command line options changed for making the passes to
be processed before the alerts?


Nope.  I don't think that's it.  -o still works fine on my test setup.
Which is why I think it's something else...  From your first email:

  3.  Once I did get Snort to start, I noticed that a lot of the rules
  that had pass rules for specific circumstances were starting to fire
  where they did not in version 1.9.1.

I'm going to guess you have pass rules that are using quite a few rule
options inside of each pass rule.  You may be using options that changed
from 1.9.x to 2.0.  Maybe some of these rules need some tweaking to be
used with 2.0 due to options changing.  Would you care to share a
sanitized example or two?

You may also want to look at the Changelog.  Tons of minor changes that
aren't listed in the release blurb are sprinkled in there.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: