Cached Rule Files?

["Grime, Richard S" <richard.grime () imperial ac uk>]

Hi,

We've just been troubleshooting our snort installation - rules that were
commented out seemed to be being read by Snort.  E.g., we had:

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet";
dsize: >4000; reference:arachnids,247; classtype:bad-unknown; sid:521;
rev:1;)

Yet this event was still appearing in the logs.  Checking the folder that
contained all the rules files revealed a bunch of files named like:

._config(xxx)_(rulesfile).rules

E.g. - ._config001_misc.rules

The files contained a verbatim copy of the named rules file, but without any
lines commented out.

When we removed these files, Snort behaved as expected.  Does anyone know
where these might've come from?  We're running Oinkmaster 0.6 to update
rules, but running this again doesn't seem to create ._config files.

Snort 2.0.0 running on Gentoo
Uname -a: Linux snort 2.5.53 #1 SMP Fri Jan 10 11:51:52 GMT 2003 i686
Pentium III (Coppermine) GenuineIntel GNU/Linux

Any ideas / thoughts much appreciated.

Cheers,

Richard


-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users