Snort mailing list archives
RE: snort warnings
From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
Date: 06 Aug 2003 14:03:28 -0700
Would it be possible to try to fix this problem (symptom?) by dumping the duplicate entries from the signature table?
tried it :-(
I think we need input from more experienced snorters (but in the absence of that, I suppose I would create a new test snort db on your database machine and have knox3 log to it, and go from there).
I initially just tried running "truncate tablename;" on everything I thought was being affected, as I suspected something similar. When that didn't work I ran "dropdb snort" and deleted the whole kit 'n' kaboodle and started over from scratch and recreated the whole damn db, and guess what? same thing :-/ only not so often now, maybe it will pick back up as more entries are made. I even tarred up the snort 2.0.0 from the original build (with all the make files still there) scp'd it over to the new snort box and ran a make install. I checked the version and verified that it was 2.0.0 that I was using (although I now seriously doubt it had anything to do with 2.0.1) and ran snort -o -b -l /var/www/htdocs/snort/fxp1 -D -i fxp1 -c /usr/local/share/snort/fxp1.conf -q and here's the output from that... # Aug 6 13:48:40 knox3 snort: Initializing daemon mode Aug 6 13:48:40 knox3 snort: PID path stat checked out ok, PID path set to /var/run/ Aug 6 13:48:40 knox3 snort: Writing PID "4479" to file "/var/run//snort_fxp1.pid" Aug 6 13:48:40 knox3 snort: http_decode arguments: Aug 6 13:48:40 knox3 snort: Unicode decoding Aug 6 13:48:40 knox3 snort: IIS alternate Unicode decoding Aug 6 13:48:40 knox3 snort: IIS double encoding vuln Aug 6 13:48:40 knox3 snort: Flip backslash to slash Aug 6 13:48:40 knox3 snort: Include additional whitespace separators Aug 6 13:48:40 knox3 snort: Ports to decode http on: 80 Aug 6 13:48:40 knox3 snort: rpc_decode arguments: Aug 6 13:48:40 knox3 snort: Ports to decode RPC on: 111 32771 Aug 6 13:48:40 knox3 snort: alert_fragments: INACTIVE Aug 6 13:48:40 knox3 snort: alert_large_fragments: ACTIVE Aug 6 13:48:40 knox3 snort: alert_incomplete: ACTIVE Aug 6 13:48:40 knox3 snort: alert_multiple_requests: ACTIVE Aug 6 13:48:40 knox3 snort: telnet_decode arguments: Aug 6 13:48:40 knox3 snort: Ports to decode telnet on: 21 23 25 119 Aug 6 13:48:41 knox3 snort: Snort initialization completed successfully --Bryan ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort warnings Bryan Irvine (Aug 05)
- <Possible follow-ups>
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Erek Adams (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Michael J. McCasland (Aug 07)