Snort mailing list archives
Cached Rule Files?
From: "Grime, Richard S" <richard.grime () imperial ac uk>
Date: Thu, 12 Jun 2003 11:52:48 +0100
Hi, We've just been troubleshooting our snort installation - rules that were commented out seemed to be being read by Snort. E.g., we had: #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize: >4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:1;) Yet this event was still appearing in the logs. Checking the folder that contained all the rules files revealed a bunch of files named like: ._config(xxx)_(rulesfile).rules E.g. - ._config001_misc.rules The files contained a verbatim copy of the named rules file, but without any lines commented out. When we removed these files, Snort behaved as expected. Does anyone know where these might've come from? We're running Oinkmaster 0.6 to update rules, but running this again doesn't seem to create ._config files. Snort 2.0.0 running on Gentoo Uname -a: Linux snort 2.5.53 #1 SMP Fri Jan 10 11:51:52 GMT 2003 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux Any ideas / thoughts much appreciated. Cheers, Richard ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cached Rule Files? Grime, Richard S (Jun 12)