Snort mailing list archives
Re: Anybody had this error? (John Ceballos)
From: "John Ceballos-contr" <John.Ceballos-contr () TRW COM>
Date: Wed, 16 Feb 2005 10:03:04 -0500
Thanks all for the help! Your advice about the snort.conf did the trick. Talk to you all later!
snort-users-request () lists sourceforge net 2/15/2005 5:23:51 PM >>>
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. RE: Stealth interface (Willy, Andrew)
2. RE: Stealth interface (Bob Konigsberg)
3. [Snort] Followup to "Looking to update rules" (Bob Konigsberg)
4. Sensors and alerts stop showing up in ACID (Bristol, Gary L.)
5. Re: Anybody had this error? (Edin Dizdarevic)
6. RE: Sensors and alerts stop showing up in ACID (Chris Vaughan)
7. RE: Sensors and alerts stop showing up in ACID (Bristol, Gary
L.)
--__--__--
Message: 1
From: "Willy, Andrew" <AWilly () eSMIL net>
To: 'Bob Konigsberg' <bobkberg () networkeval com>,
snort-users () lists sourceforge net
Subject: RE: [Snort-users] Stealth interface
Date: Tue, 15 Feb 2005 13:13:13 -0700
This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C5139A.C70F04CE
Content-Type: text/plain;
charset="iso-8859-1"
Does an interface without an IP address qualify as a stealth interface
or is
there more to it?
Andrew
-----Original Message-----
From: Bob Konigsberg [mailto:bobkberg () networkeval com]
Sent: Tuesday, February 15, 2005 12:59 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Stealth interface
The basic purpose of the stealth interface is to prevent an attacker
from
knowing that you've got a monitoring box present.
Typically, you'd have two or more interfaces, and the one you "talk" to
with
an IP address would not even be on the same network as the stealth
interface.
Bob
_____
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Willy,
Andrew
Sent: Tuesday, February 15, 2005 11:56 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Stealth interface
Hello,
Would any of you mind explaining the need for, the setup, and the
application of a stealth interface on an IDS box? I'm new to Snort and
ID
as a whole. Google returned interesting but seemingly incomplete
information on the subject.
Thanks
Andrew
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed
only
by the individual or organization named as addressee. If you have
received
this email in error please notify Scottsdale Medical Imaging, an
affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to
the
sender or to support () esmil com - and destroy all copies of this message
and
any attachments. Please note that any views or opinions presented in
this
email are solely those of the author and do not necessarily represent
those
of Scottsdale Medical Imaging. Confidential health information is
protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed
only
by the individual or organization named as addressee. If you have
received
this email in error please notify Scottsdale Medical Imaging, an
affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to
the
sender or to support () esmil com - and destroy all copies of this message
and
any attachments. Please note that any views or opinions presented in
this
email are solely those of the author and do not necessarily represent
those
of Scottsdale Medical Imaging. Confidential health information is
protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.
------_=_NextPart_001_01C5139A.C70F04CE
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=703120920-15022005><FONT face=Arial color=#0000ff
size=2>Does
an interface without an IP address qualify as a stealth interface or is
there
more to it?</FONT></SPAN></DIV>
<DIV><SPAN class=703120920-15022005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=703120920-15022005><FONT face=Arial color=#0000ff
size=2>Andrew</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Bob Konigsberg
[mailto:bobkberg () networkeval com]<BR><B>Sent:</B> Tuesday, February
15, 2005
12:59 PM<BR><B>To:</B>
snort-users () lists sourceforge net<BR><B>Subject:</B>
RE: [Snort-users] Stealth interface<BR><BR></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=571345719-15022005>The basic purpose of the stealth interface
is to
prevent an attacker from knowing that you've got a monitoring
box
present.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=571345719-15022005></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=571345719-15022005>Typically, you'd have two or more
interfaces, and the
one you "talk" to with an IP address would not even be on the same
network as
the stealth interface.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=571345719-15022005></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=571345719-15022005>Bob</SPAN></FONT></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B>
snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] <B>On Behalf Of
</B>Willy,
Andrew<BR><B>Sent:</B> Tuesday, February 15, 2005 11:56
AM<BR><B>To:</B>
snort-users () lists sourceforge net<BR><B>Subject:</B> [Snort-users]
Stealth
interface<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial
size=2>Hello,</FONT></SPAN></DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial size=2>Would any
of you
mind explaining the need for, the setup, and the application of a
stealth
interface on an IDS box? I'm new to Snort and ID as a
whole.
Google returned interesting but seemingly incomplete information
on the
subject.</FONT></SPAN></DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial
size=2>Thanks</FONT></SPAN></DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial
size=2>Andrew</FONT></SPAN></DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=015425219-15022005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<P><FONT face=Arial size=2>NOTICE OF CONFIDENTIALITY-The information
in this
email, including attachments, may be confidential and/or privileged
and may
contain confidential health information. This email is intended to be
reviewed
only by the individual or organization named as addressee. If you
have
received this email in error please notify Scottsdale Medical
Imaging, an
affiliate of Southwest Diagnostic Imaging, LTD immediately - by
return message
to the sender or to support () esmil com - and destroy all copies of
this message
and any attachments. Please note that any views or opinions presented
in this
email are solely those of the author and do not necessarily represent
those of
Scottsdale Medical Imaging. Confidential health information is
protected by
state and federal law, including, but not limited to, the Health
Insurance
Portability and Accountability Act of 1996 and related
regulations.</FONT></P></BLOCKQUOTE></BODY></HTML>
<P><FONT SIZE=2 FACE="Arial">NOTICE OF CONFIDENTIALITY-The information
in this email, including attachments, may be confidential and/or
privileged and may contain confidential health information. This email
is intended to be reviewed only by the individual or organization named
as addressee. If you have received this email in error please notify
Scottsdale Medical Imaging, an affiliate of Southwest Diagnostic
Imaging, LTD immediately - by return message to the sender or to
support () esmil com - and destroy all copies of this message and any
attachments. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of Scottsdale Medical Imaging. Confidential health information is
protected by state and federal law, including, but not limited to, the
Health Insurance Portability and Accountability Act of 1996 and related
regulations.</FONT></P>
------_=_NextPart_001_01C5139A.C70F04CE--
--__--__--
Message: 2
From: "Bob Konigsberg" <bobkberg () networkeval com>
To: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Stealth interface
Date: Tue, 15 Feb 2005 12:14:00 -0800
This is a multi-part message in MIME format.
------=_NextPart_000_0105_01C51357.D52CC250
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
That's a good place to start.
One additional thing that some people do is to cut the transmit pair
(or
never connect them) so that the interface cannot be seen at all by
other
network hardware.
Bob
_____
From: Willy, Andrew [mailto:AWilly () eSMIL net]
Sent: Tuesday, February 15, 2005 12:13 PM
To: 'Bob Konigsberg'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Stealth interface
Does an interface without an IP address qualify as a stealth interface
or is
there more to it?
Andrew
-----Original Message-----
From: Bob Konigsberg [mailto:bobkberg () networkeval com]
Sent: Tuesday, February 15, 2005 12:59 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Stealth interface
The basic purpose of the stealth interface is to prevent an attacker
from
knowing that you've got a monitoring box present.
Typically, you'd have two or more interfaces, and the one you "talk" to
with
an IP address would not even be on the same network as the stealth
interface.
Bob
_____
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Willy,
Andrew
Sent: Tuesday, February 15, 2005 11:56 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Stealth interface
Hello,
Would any of you mind explaining the need for, the setup, and the
application of a stealth interface on an IDS box? I'm new to Snort and
ID
as a whole. Google returned interesting but seemingly incomplete
information on the subject.
Thanks
Andrew
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed
only
by the individual or organization named as addressee. If you have
received
this email in error please notify Scottsdale Medical Imaging, an
affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to
the
sender or to support () esmil com - and destroy all copies of this message
and
any attachments. Please note that any views or opinions presented in
this
email are solely those of the author and do not necessarily represent
those
of Scottsdale Medical Imaging. Confidential health information is
protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed
only
by the individual or organization named as addressee. If you have
received
this email in error please notify Scottsdale Medical Imaging, an
affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to
the
sender or to support () esmil com - and destroy all copies of this message
and
any attachments. Please note that any views or opinions presented in
this
email are solely those of the author and do not necessarily represent
those
of Scottsdale Medical Imaging. Confidential health information is
protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.
------=_NextPart_000_0105_01C51357.D52CC250
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D657561220-15022005>That's a good place to =
start.</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D657561220-15022005></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D657561220-15022005>One additional thing that some people do is
=
to cut the=20
transmit pair (or never connect them) so that the interface cannot be
=
seen at=20
all by other network hardware.</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D657561220-15022005></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D657561220-15022005>Bob</SPAN></FONT></DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Willy, Andrew =
[mailto:AWilly () eSMIL net]=20
<BR><B>Sent:</B> Tuesday, February 15, 2005 12:13 PM<BR><B>To:</B>
'Bob=20
Konigsberg'; snort-users () lists sourceforge net<BR><B>Subject:</B>
RE:=20
[Snort-users] Stealth interface<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><SPAN class=3D703120920-15022005><FONT face=3DArial
color=3D#0000ff =
size=3D2>Does=20
an interface without an IP address qualify as a stealth interface or is
=
there=20
more to it?</FONT></SPAN></DIV>
<DIV><SPAN class=3D703120920-15022005><FONT face=3DArial
color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D703120920-15022005><FONT face=3DArial
color=3D#0000ff =
size=3D2>Andrew</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Bob
Konigsberg=20
[mailto:bobkberg () networkeval com]<BR><B>Sent:</B> Tuesday, February
=
15, 2005=20
12:59 PM<BR><B>To:</B> =
snort-users () lists sourceforge net<BR><B>Subject:</B>=20
RE: [Snort-users] Stealth interface<BR><BR></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D571345719-15022005>The basic purpose of the stealth interface
=
is to=20
prevent an attacker from knowing that you've got a monitoring
box =
present.</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D571345719-15022005></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D571345719-15022005>Typically, you'd have two or more =
interfaces, and the=20
one you "talk" to with an IP address would not even be on the same =
network as=20
the stealth interface.</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D571345719-15022005></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D571345719-15022005>Bob</SPAN></FONT></DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr
align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> =
snort-users-admin () lists sourceforge net=20
[mailto:snort-users-admin () lists sourceforge net] <B>On Behalf Of =
</B>Willy,=20
Andrew<BR><B>Sent:</B> Tuesday, February 15, 2005 11:56 =
AM<BR><B>To:</B>=20
snort-users () lists sourceforge net<BR><B>Subject:</B> [Snort-users] =
Stealth=20
interface<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20
size=3D2>Hello,</FONT></SPAN></DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial =
size=3D2>Would any of you=20
mind explaining the need for, the setup, and the application of a =
stealth=20
interface on an IDS box? I'm new to Snort and ID as a =
whole. =20
Google returned interesting but seemingly incomplete information
=
on the=20
subject.</FONT></SPAN></DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20
size=3D2>Thanks</FONT></SPAN></DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20
size=3D2>Andrew</FONT></SPAN></DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<P><FONT face=3DArial size=3D2>NOTICE OF CONFIDENTIALITY-The =
information in this=20
email, including attachments, may be confidential and/or privileged
=
and may=20
contain confidential health information. This email is intended to be
=
reviewed=20
only by the individual or organization named as addressee. If you
have =
received this email in error please notify Scottsdale Medical
Imaging, =
an=20
affiliate of Southwest Diagnostic Imaging, LTD immediately - by
return =
message=20
to the sender or to support () esmil com - and destroy all copies of
this =
message=20
and any attachments. Please note that any views or opinions presented
=
in this=20
email are solely those of the author and do not necessarily represent
=
those of=20
Scottsdale Medical Imaging. Confidential health information is =
protected by=20
state and federal law, including, but not limited to, the Health =
Insurance=20
Portability and Accountability Act of 1996 and related=20
regulations.</FONT></P></BLOCKQUOTE>
<P><FONT face=3DArial size=3D2>NOTICE OF CONFIDENTIALITY-The
information =
in this=20
email, including attachments, may be confidential and/or privileged and
=
may=20
contain confidential health information. This email is intended to be
=
reviewed=20
only by the individual or organization named as addressee. If you have
=
received=20
this email in error please notify Scottsdale Medical Imaging, an =
affiliate of=20
Southwest Diagnostic Imaging, LTD immediately - by return message to
the =
sender=20
or to support () esmil com - and destroy all copies of this message and
any =
attachments. Please note that any views or opinions presented in this
=
email are=20
solely those of the author and do not necessarily represent those of =
Scottsdale=20
Medical Imaging. Confidential health information is protected by state
=
and=20
federal law, including, but not limited to, the Health Insurance =
Portability and=20
Accountability Act of 1996 and related =
regulations.</FONT></P></BODY></HTML>
------=_NextPart_000_0105_01C51357.D52CC250--
--__--__--
Message: 3
From: "Bob Konigsberg" <bobkberg () networkeval com>
To: <snort-users () lists sourceforge net>
Date: Tue, 15 Feb 2005 12:30:27 -0800
Subject: [Snort-users] [Snort] Followup to "Looking to update rules"
This is a multi-part message in MIME format.
------=_NextPart_000_0117_01C5135A.2141EC40
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
First of all - Thank you to all of you who wrote with helpful
suggestions.
I finally have this working.
Second, since nobody wanted any money for doing this, then I'll donate
the
$75 to the Free Software Foundation, It's worth it to me since this is
part
of a for-profit effort, and I feel that value received ought to be
properly
acknowledged.
Third, I'll polish up the combined efforts of all you kind folks, and
make
it available on my web site as a PDF. If anyone is interested in
proof
reading or keystroking it (testing the instructions), please reply
privately. I don't know when I'll get to this, but sometime in the
next
month or two.
Bob
------=_NextPart_000_0117_01C5135A.2141EC40
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7036.0">
<TITLE>[Snort] Followup to "Looking to update rules"</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=3D2 FACE=3D"Arial">First of all - Thank you to all of you
=
who wrote with helpful suggestions. I finally have this =
working.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Second, since nobody wanted any money
=
for doing this, then I'll donate the $75 to the Free Software =
Foundation, It's worth it to me since this is part of a
for-profit =
effort, and I feel that value received ought to be properly =
acknowledged.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Third, I'll polish up the combined =
efforts of all you kind folks, and make it available on my web site as
a =
PDF. If anyone is interested in proof reading or keystroking it
=
(testing the instructions), please reply privately. I don't know
=
when I'll get to this, but sometime in the next month or
two.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Bob</FONT>
</P>
</BODY>
</HTML>
------=_NextPart_000_0117_01C5135A.2141EC40--
--__--__--
Message: 4
Date: Tue, 15 Feb 2005 15:35:19 -0600
From: "Bristol, Gary L." <gbristol () ou edu>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] Sensors and alerts stop showing up in ACID
I recently updated my sensors to snort 2.3.0.
The problem I'm seeing on two different databases is that one of the
sensors alerts and information shows up just fine but the other one,
even though it's listed in the sensor table doesn't show as being
there
in the ACID page of sensors and no alerts from this sensor is showing
up.
On one database I completely removed the Snort db and recreated it
from
scratch, same problem, one sensor and it's alerts show up, the other
doesn't.
--__--__--
Message: 5
Date: Tue, 15 Feb 2005 22:38:12 +0100
From: Edin Dizdarevic <Edin.Dizdarevic () interActive-Systems de>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Anybody had this error?
Hi,
look at your snort.conf for a rule type you have defined there and
remove it.
Regards,
Edin
John Ceballos-contr schrieb:
Hello all!
:::
ERROR: ruletype redalert does not exist or has already been ordered.
...
--
Edin Dizdarevic
--__--__--
Message: 6
Subject: RE: [Snort-users] Sensors and alerts stop showing up in ACID
Date: Tue, 15 Feb 2005 17:15:21 -0500
From: "Chris Vaughan" <chrisv () parkavebank com>
To: "Bristol, Gary L." <gbristol () ou edu>,
<snort-users () lists sourceforge net>
Are you sure that in your barnyard.conf you are logging with two =
different sensor_ids?
-----Original Message-----
From: snort-users-admin () lists sourceforge net =
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bristol,
=
Gary L.
Sent: Tuesday, February 15, 2005 4:35 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Sensors and alerts stop showing up in
ACID
I recently updated my sensors to snort 2.3.0.
The problem I'm seeing on two different databases is that one of the
sensors alerts and information shows up just fine but the other one,
even though it's listed in the sensor table doesn't show as being
there
in the ACID page of sensors and no alerts from this sensor is showing
up.
On one database I completely removed the Snort db and recreated it
from
scratch, same problem, one sensor and it's alerts show up, the other
doesn't.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real
users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=3Dick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
--__--__--
Message: 7
Subject: RE: [Snort-users] Sensors and alerts stop showing up in ACID
Date: Tue, 15 Feb 2005 16:22:44 -0600
From: "Bristol, Gary L." <gbristol () ou edu>
To: "Chris Vaughan" <chrisv () parkavebank com>,
<snort-users () lists sourceforge net>
Not using Barnyard for the output.
The Sensor_id entry is in the Sensor Table of the Snort DB.
This is information from two different sensors to a central DB that
worked previously to upgrading to 2.3.0, although that might not be
the
problem, since I had been using it for about a week.
It seemed to stop working after an signature upgrade, last week.=20
-----Original Message-----
From: Chris Vaughan [mailto:chrisv () parkavebank com]=20
Sent: Tuesday, February 15, 2005 4:15 PM
To: Bristol, Gary L.; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Sensors and alerts stop showing up in ACID
Are you sure that in your barnyard.conf you are logging with two
different sensor_ids?
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
Bristol,
Gary L.
Sent: Tuesday, February 15, 2005 4:35 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Sensors and alerts stop showing up in
ACID
I recently updated my sensors to snort 2.3.0.
The problem I'm seeing on two different databases is that one of the
sensors alerts and information shows up just fine but the other one,
even though it's listed in the sensor table doesn't show as being
there
in the ACID page of sensors and no alerts from this sensor is showing
up.
On one database I completely removed the Snort db and recreated it
from
scratch, same problem, one sensor and it's alerts show up, the other
doesn't.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real
users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=3Dick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
--__--__--
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Anybody had this error? (John Ceballos) John Ceballos-contr (Feb 16)