Snort mailing list archives
Re: Bizarre signature
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 21 Jul 2010 10:33:39 -0600
Hi, If you are using pulledpork, it might have caused this... since it doesn't download both the snort rules and emerging threats rules with one config, you have to specific one of the rules files as "local rules" for it to include them in the sid-msg.map. At least that is my understanding, and this is working for me. here's the relevant stuff from my ET pulledpork config: base_url=http://emergingthreats.net/rules rule_file=emerging.rules.tar.gz rule_path=/etc/snort/rules/emerging.rules local_rules=/etc/snort/rules/snort.rules,/etc/snort/rules/local.rules -----Original Message----- From: Kun, Mike [mailto:mkun () akamai com] Sent: Wednesday, July 21, 2010 7:39 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Bizarre signature -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm starting to see alerts in BASE like Snort Alert [1:2001034:0] I have no local rules with SIDs anywhere near that value and clicking on the snort link takes me to a 404 page. Grep-ing the snort.rules files dosen't show that sid anywhere. Has anyone seen this before? - -Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with OutlookGnuPG v1.2.3667 iQEcBAEBAgAGBQJMRwZvAAoJEMhWEt1OJPG/kK0IALpuJKqkcVEZnt8FUgwMnwc2 BCrjLRU3vG+wwajMtALACDQ3oT5hroYsP6nAwphWfBJOtz5vFsFw03TJg08fWJ4v rp4AzSaP8Ybj7deHZCwdR0wdF4Ul2cpn+JdUdJXDJD0SwCEui+W0sSGofgHmUU0z HZRH/im0F1uq6nJgVzoBHNGBARh8HB2DpD5+vooValqrLxxhtlJRzm8RR+uNM/Kz fNHQZ9UVROCMn+defpGHoCFpRySMOolBEGxeysUtP0X/oX9bzSUmuYqhVDmBgp74 2ypOvLs93K1IGjzrnwfw1j9Jns5O/aT51dzXiG0qavjNvO+fX3XIT00q2tL+i1s= =6a+N -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bizarre signature Kun, Mike (Jul 21)
- Re: Bizarre signature Paul Schmehl (Jul 21)
- Re: Bizarre signature Kun, Mike (Jul 21)
- Re: Bizarre signature Joel Esler (Jul 21)
- Re: Bizarre signature Eoin Miller (Jul 21)
- Re: Bizarre signature beenph (Jul 21)
- Re: Bizarre signature Paul Schmehl (Jul 21)
- Re: Bizarre signature Kun, Mike (Jul 21)
- Re: Bizarre signature Jefferson, Shawn (Jul 21)
- Re: Bizarre signature Paul Schmehl (Jul 21)