Snort mailing list archives
Re: How rules fire question.
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 6 May 2013 14:23:18 -0400
Good to hear you got it squared away. On May 6, 2013, at 1:19 PM, AT&T.Net <coppage () att net> wrote:
Thank Joe, In looking how this box was set up, pulled pork is being used on a central server but one of the scripts being used to push the rules and that file to all the sensors was pulling from the wrong location and therefore the correct Sid file was not being pushed. Thanks, Mike Sent from mobile device via my thumbs. On May 6, 2013, at 11:06 AM, Joel Esler <jesler () sourcefire com> wrote:On May 6, 2013, at 10:59 AM, "AT&T.Net" <coppage () att net> wrote:Hi, My snort is giving me an alert for example. Snort Alert [1:24889:0]. When I look at my snort.rules file there is rev 1 but not a rev 0. If the last number is referencing the rev, why would it have fired on a non existing rev? I've searched my old archived rules on the server and other rules and don't have that SID with a rev 0.That rule is at rev:1. We start all rules at Rev 1. So, I am thinking two things #1 -- You aren't using pulledpork to manage your downloads (which as part of it's download and managing process, it creates the sid-msg.map for you) #2 -- Your barnyard2 instance isn't reading the sid-msg.map file that pulledpork generates. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How rules fire question. AT&T.Net (May 06)
- Re: How rules fire question. Joel Esler (May 06)
- Re: How rules fire question. AT&T.Net (May 06)
- Re: How rules fire question. Joel Esler (May 06)
- Re: How rules fire question. AT&T.Net (May 09)
- Re: How rules fire question. AT&T.Net (May 06)
- Re: How rules fire question. Joel Esler (May 06)