Re: Question regarding creating rules in Snortcenter ...

["AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>]

--On 12 February 2004 09:33 -0800 Michael Chapman 
<MChapman () ascentmedia com> wrote:

> This is on RedHat 9.0, with Snort 2.0.6 and the usual complement of MySQL
> and ACID.  The rules I am trying to create using the interface in
> Snortcenter don't seem to be active or locatable, for that matter.  Bear
> with my ignorance here, but I thought that these rules would normally get
> put into the local.rules file

or 'Unknown Catagory' [sic].

> , yet no entries appear there when I create
> a rule.  I do see them in the Snortcenter interface when I look at the
> rules, which leads me to believe that the rules are in the SQL database.
> Is this a correct assumption?  If so, are the Snortcenter interface
> and/or direct MySQL intervention the only ways to verify that a rule is
> there?  Secondly, if the rule does exist, why am I not seeing hits for
> it?
>
>
>
> For example, I created a rule which just does nothing but alert on TCP
> 8987 (a port that only I am using for an app.)  I can clearly see other
> traffic to and from the host that has that port active, but I do not see
> any alerts.  I have activated the rule per the instructions on the
> Snortcenter site, with green lights all around.

Sensor Config->Rules Selection, yes?

> Am I being ignorant, or is there something I'm missing?  If I should just
> re-RTFM, then please say so!

Do the extra rules appear in a policy preview?

Have you push'ed the policy to the sensor?

Is the policy successfully uploaded according to Snortcenter?

Is the new snort.ethx.conf file present on the sensor? Does it contain your 
new rules?

Have you reloaded/restarted Snort?

If you're using barnyard or mudpit, have you regenerated the .maps and 
classification.cfg, and restarted those?

> Thanks in advance!
> Michael

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users