Re: [Emerging-Sigs] VRT Release 2010-02-23 uses "detection_filter"

[David Guimaraes <skysbsb () gmail com>]

Since March 25, my snort sensor stopped working. Verifying the cause of the
problem, I noticed that a new option (detection_filter) added to the current
version of Snort, was used in some VRT rules that was automatically added to
my set of rules by oinkmaster.

Looking for a fix that would enable use my snort 2.8.4.1 integrated with
SnortSam (which does not have a patch for the current version of snort), I
tried to solve the problem by adding the following line in oinkmaster.conf:

modifysid * "detection_filter\s*:" | "threshold:type threshold, "

After runing oinkmaster again, everything was ok..

$ /etc/init.d/snort start
Starting Network Intrusion Detection System : snort (eth0 no
/etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done).

On Fri, Feb 26, 2010 at 2:05 PM, evilghost () packetmail net <
evilghost () packetmail net> wrote:

> While it is in poor taste to reply to my own message, in this case it's
> necessary.  For those who have elected to upgrade or are planning to
> upgrade to 2.8.5.3 as a result of the VRT rule changes please be advised
> that the -L flag does not work in 2.8.5.3.  Evidently this is a known
> issue (I did report it to the team) and has been resolved in 2.8.6 RC.
> There is no "known bugs" listing/document in 2.8.5.3, instead, this bug
> is identified and corrected in 2.8.6 RC change log.
>
> In my environment this caused some havoc as the -L flag was used to
> separate logging for multiple BPF flow-pinned instances.  The -L flag is
> ignored and all files log to snort.log.{epoch}.  There could be file
> contention and clobbering as multiple instances attempt to write to the
> same file; I have not investigated this further to see if this is indeed
> the case.
>
> I used the -l flag to dump the files into a separate directory using the
> same naming convention as the now defunct -L flag used.
>
> -evilghost
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html



-- 
David Gomes Guimarães

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs