Snort mailing list archives
Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 3 Dec 2010 08:18:10 -0500
Add ET rule categories in one at a time (not threshold.conf) and see where Snort breaks then. Joel On Fri, Dec 3, 2010 at 5:50 AM, Jun Wan <junwei_wan () hotmail com> wrote:
Hi Joel, When I run Snort with just "instance 2", I get lots of alerts that way, but ET rules and Threshhold.conf do not work, please see the following results: lots of Alerts from terminal and these alerts are displayed in Snort Report; Policies in threshold.conf don't work, e.g. "threshold gen_id 129, sig_id 12, type limit, track by_src, count 1, seconds 60", I still see lots of Alerts (129:12:0) rolling fast in my terminal screen when I do test; and ET rule don't working, e.g. there is no alert if I run an BitTorrent p2p test. When I run Snort with just "instance 1", I get lots of alerts that way, ET rules and Threshhold.conf are working, but Snort Report doesn't work , please see the following results: lots of Alerts from terminal and these alerts are not displayed in Snort Report, Snort Report displays "No Data"; Policies in threshold.conf are working, e.g. "threshold gen_id 129, sig_id 12, type limit, track by_src, count 1, seconds 60", I still see very few Alerts (129:12:0) in my terminal screen when I do test; ET rule are working, e.g. I can see an alert (sid 2008581) if I run an BitTorrent p2p test I hope I clearly described the situations I am experiencing at moment. Any idea/direction would be highly appreciated. Many thanks in advance. Regards John ________________________________ Date: Thu, 2 Dec 2010 09:20:20 -0500 From: jesler () sourcefire com To: snortreport-users () googlegroups com CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Try running it with just "instance 2" as you specified below, and see if you get alerts that way. Joel On Thu, Dec 2, 2010 at 5:10 AM, Jun Wan <junwei_wan () hotmail com> wrote: Hi Joel, The Snort is running fine (I can see lots of traffic by using -A console) , the problem is the Snort Report 1.3, that is unable to display any data when I do the following: sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 I tested it again this morning, the Snort Report 1.3 is working (display data) when I ran two Snort instances: Instance 1: sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -A console Instance 2 (from Putty) :sudo /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 sudo /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 / -w /var/log/snort/barnyard2.waldo ET rule seems working as Snort Report displayed alerts (sid 2008581) of p2p traffic, but I don't want to run two snort instances. David Gullett is on vacation at moment, hopefully David would give us some clues regarding Snort Report. Many thanks for your help Regards John ________________________________ Date: Wed, 1 Dec 2010 08:34:50 -0500 From: joel.esler () me com To: snortreport-users () googlegroups com CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] issues with Snort report 1.3&VRT rules&ET rules&threshold.conf My only suggestion is, take everything out (VRT rules, ET rules, etc) and add things in, one at a time, see if Snort starts, stays running, and which step breaks the process. Joel On Tue, Nov 30, 2010 at 10:55 PM, Jun Wan <junwei_wan () hotmail com> wrote: Hi Joel, It makes no difference by removing "-A console", I did the following and I got SR with 'No data" : sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 ps: eth1 shoud be eth0 in previous email. Does anyone have any idea/direction? It would be highly appreciated. Thanks Regards John ________________________________ Date: Tue, 30 Nov 2010 19:21:54 -0500 From: joel.esler () me com To: snortreport-users () googlegroups com CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Is it because with the #2 line, your output is to console? "-A console", remember command line overrides the snort.conf output lines. J On Tue, Nov 30, 2010 at 7:02 PM, Jun Wan <junwei_wan () hotmail com> wrote: Hi, BASE is not maintained, as well as it's lack of docs, so I choose Snort Report (SR). I have got lots of help from David Gullett, David has done a wonderful job, thanks David. Two issues on Snort2.8.6.0 with SR 1.3 are very strange, I thought you guys may be interested to know, please see the followings: 1.) If I do following commands: sudo /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 sudo /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo The results: the activated rules on emerging.conf and settings on threshold.conf are not working, but the SR is working, snort is running with VRT rules only (not running ET rules&threshold.conf ) 2.) or If I do the following command: sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -A console The results: the activated rules on emerging.conf and settings on threshold.conf are working, but the SR is not working (no data), and snort is running with VRT rules and ET rules and threshold.conf . Same issues happen to Snort 2.9.0 with SR1.3. I would like to solve these issues before I put Snort 2.8.6 &2.9.0 with SR 1.3 into our live network. Any information/idea/direction would be highly appreciated. Regards John -- Joel Esler http://blog.joelesler.net ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler http://blog.joelesler.net ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Jun Wan (Nov 30)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Joel Esler (Nov 30)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Jun Wan (Nov 30)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Joel Esler (Dec 01)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Jun Wan (Dec 02)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Joel Esler (Dec 02)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Jun Wan (Dec 03)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Joel Esler (Dec 03)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Jun Wan (Nov 30)
- Re: issues with Snort report 1.3&VRT rules&ET rules&threshold.conf Joel Esler (Nov 30)