Snort mailing list archives
Re: Question regarding creating rules in Snortcenter ...
From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Thu, 25 Mar 2004 11:41:11 +0000
--On 12 February 2004 09:33 -0800 Michael Chapman <MChapman () ascentmedia com> wrote:
This is on RedHat 9.0, with Snort 2.0.6 and the usual complement of MySQL and ACID. The rules I am trying to create using the interface in Snortcenter don't seem to be active or locatable, for that matter. Bear with my ignorance here, but I thought that these rules would normally get put into the local.rules file
or 'Unknown Catagory' [sic].
, yet no entries appear there when I create a rule. I do see them in the Snortcenter interface when I look at the rules, which leads me to believe that the rules are in the SQL database. Is this a correct assumption? If so, are the Snortcenter interface and/or direct MySQL intervention the only ways to verify that a rule is there? Secondly, if the rule does exist, why am I not seeing hits for it? For example, I created a rule which just does nothing but alert on TCP 8987 (a port that only I am using for an app.) I can clearly see other traffic to and from the host that has that port active, but I do not see any alerts. I have activated the rule per the instructions on the Snortcenter site, with green lights all around.
Sensor Config->Rules Selection, yes?
Am I being ignorant, or is there something I'm missing? If I should just re-RTFM, then please say so!
Do the extra rules appear in a policy preview? Have you push'ed the policy to the sensor? Is the policy successfully uploaded according to Snortcenter?Is the new snort.ethx.conf file present on the sensor? Does it contain your new rules?
Have you reloaded/restarted Snort?If you're using barnyard or mudpit, have you regenerated the .maps and classification.cfg, and restarted those?
Thanks in advance! Michael
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question regarding creating rules in Snortcenter ... Michael Chapman (Feb 12)
- Re: Question regarding creating rules in Snortcenter ... AJ Butcher, Information Systems and Computing (Mar 25)