Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MySQL support for Snort 2.9.4

From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 12 Dec 2012 09:10:55 -0500
On 12/11/2012 16:26, Kaya Saman wrote:

I still get the flow bit errors as PP from above only enabled 24.


PP's flowbit resolving only goes one way...

if a rule checks for a flowbit, PP will enable the rule(s) that set that 
flowbit... this fixes the "flowbit is checked but never set" warning...

if a rule sets a flowbit and there are no rules to check it, PP will not enable 
those checking rules... snort will still alert that "flowbit is set but never 
checked"... this is something manual that you will have to handle by either 
turning off that rule or turning on at least one of those that checks that 
flowbit...


In the log file I noticed that I got a bunch of "unkown message" entries so I
don't know if that's got anything to do with it?


we'd have to see a log snippet of what you are talking about...


Using the -k none option as suggested previously I don't get any more 'Bad chck
sum' errors but I still don't get anything logged either?


how is snort connected to the traffic flow? thru a span port or a switch or hub?


Previously when I used version 2.8.6 with the Emerging Threats ruleset even when
run for a few seconds Base would just spike with occurrences, mainly for p2p
icmp packets.

Basically it's still not working :-(


yup, something's just not right yet...

the biggest change between 2.8.6 and 2.9 is the use of the DAQ stuff... that and 
the removal of the database output stuff... however, there is something about 
this logging thing that is problematic... i see it quite often on new 
installations of our packaged environment... several times we've thought we've 
found the definitive answer to fix it but while it works for some, it doesn't 
for others... and then another fix will work for them but there are still more 
how are not getting logging... we're still looking at it in our stuff since we 
are including snort in our packaged environment and folks come to us for help 
with it... one day we will find it...

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: