Snort mailing list archives
Re: [Emerging-Sigs] VRT Release 2010-02-23 uses "detection_filter"
From: David Guimaraes <skysbsb () gmail com>
Date: Sat, 27 Mar 2010 21:19:27 -0300
Since March 25, my snort sensor stopped working. Verifying the cause of the problem, I noticed that a new option (detection_filter) added to the current version of Snort, was used in some VRT rules that was automatically added to my set of rules by oinkmaster. Looking for a fix that would enable use my snort 2.8.4.1 integrated with SnortSam (which does not have a patch for the current version of snort), I tried to solve the problem by adding the following line in oinkmaster.conf: modifysid * "detection_filter\s*:" | "threshold:type threshold, " After runing oinkmaster again, everything was ok.. $ /etc/init.d/snort start Starting Network Intrusion Detection System : snort (eth0 no /etc/snort/snort.eth0.conf found, defaulting to snort.conf ...done). On Fri, Feb 26, 2010 at 2:05 PM, evilghost () packetmail net < evilghost () packetmail net> wrote:
While it is in poor taste to reply to my own message, in this case it's necessary. For those who have elected to upgrade or are planning to upgrade to 2.8.5.3 as a result of the VRT rule changes please be advised that the -L flag does not work in 2.8.5.3. Evidently this is a known issue (I did report it to the team) and has been resolved in 2.8.6 RC. There is no "known bugs" listing/document in 2.8.5.3, instead, this bug is identified and corrected in 2.8.6 RC change log. In my environment this caused some havoc as the -L flag was used to separate logging for multiple BPF flow-pinned instances. The -L flag is ignored and all files log to snort.log.{epoch}. There could be file contention and clobbering as multiple instances attempt to write to the same file; I have not investigated this further to see if this is indeed the case. I used the -l flag to dump the files into a separate directory using the same naming convention as the now defunct -L flag used. -evilghost _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
-- David Gomes GuimarĂ£es
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- VRT Release 2010-02-23 uses "detection_filter" evilghost () packetmail net (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Matt Olney (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" evilghost () packetmail net (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Nigel Houghton (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" evilghost () packetmail net (Feb 26)
- Re: [Emerging-Sigs] VRT Release 2010-02-23 uses "detection_filter" David Guimaraes (Mar 27)
- Re: VRT Release 2010-02-23 uses "detection_filter" evilghost () packetmail net (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Jeff Kell (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Matt Olney (Feb 24)
- Re: VRT Release 2010-02-23 uses "detection_filter" Sandro guly Zaccarini (Feb 24)