Re: Same config, FreeBSD vs OpenBSD, WAY different results

[twig les <twigles () yahoo com>]

Well it doesn't seem like a snort problem.  Unless the FBSD box
is waaaaay older than the OBSD box, I'd check the FBSD setup. 
Specifically the NIC/driver, maybe even the switch interface for
duplex problems or to make sure it's monitoring all the other
ports.

--- Jim Brown <jpb () sixshooter v6 thrupoint net> wrote:
> Hello list,
>
>
> Re: Version 2.0.2 (Build 92)
>
>
> The two systems listed have the same config:
>
> The OpenBSD system routinely logs more than 5000 entries while
> the FreeBSD system logs less than 600 entries.
>
> The two systems are on the same subnet.
>
> Can anyone tell me why OpenBSD logs far more snort entries
> with
> the same config???
>
> Thanks,
> jpb
> ===
>
> Sorted config follows:
>
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/chat.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/info.rules
> include $RULE_PATH/local.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/multimedia.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/p2p.rules
> include $RULE_PATH/policy.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/porn.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/shellcode.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/x11.rules
> include classification.config
> include reference.config
> output alert_syslog: LOG_AUTH LOG_INFO
> preprocessor bo
> preprocessor frag2
> preprocessor http_decode: 80 unicode iis_alt_unicode
> double_encode iis_flip_slash full_whitespace
> preprocessor portscan: $HOME_NET 4 65 portscan.log
> preprocessor rpc_decode: 111 32771
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor stream4_reassemble
> preprocessor telnet_decode
> var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> var DNS_SERVERS [192.xxx.yyy.a/32,192.xxx.yyy.b/32]
> var EXTERNAL_NET any
> var HOME_NET
[192.xxx.yyy.a/32,192.xxx.yyy.b/32,192.xxx.yyy.c/32,192.xxx.yyy.d/32,192.xxx.yyy.e/32,192.xxx.yyy.f/32]
> var HTTP_PORTS 80
> var HTTP_SERVERS
> [192.xxx.yyy.a/32,192.xxx.yyy.b/32,192.xxx.yyy.c/32]
> var ORACLE_PORTS yyy1
> var RULE_PATH /usr/local/etc/snort/rules
> var SHELLCODE_PORTS !80
> var SMTP_SERVERS
> [192.xxx.yyy.a/32,192.xxx.yyy.b/32,192.xxx.yyy.c/32]
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var TELNET_SERVERS [192.xxx.yyy.g/32]
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> SourceForge.net hosts over 70,000 Open Source Projects.
> See the people who have HELPED US provide better services:
> Click here: http://sourceforge.net/supporters.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Get a taste of Religion ... eat a priest!       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users