Re: a few questions...

[Joel Esler <jesler () sourcefire com>]

We should probably think about removing dynamically activated rules. I've not met anyone that uses those (that didn't 
know about flowbits) in many years. 


--
Joel Esler
Sent from my iPad

On Jul 5, 2013, at 7:53 PM, waldo kitty <wkitty42 () windstream net> wrote:

> On 7/5/2013 18:35, Russ Combs wrote:
> > On Fri, Jul 5, 2013 at 5:56 PM, waldo kitty <wkitty42 () windstream net> wrote:
> [trim]
> >    1. i do have 14 compiled so dynamic rules files in my lib directory. snort
> >    does recognize them and appears to load them as can be seen in the execution
> >    output attached below. the question is why does snort report "0 Dynamic
> >    rules" when it is initializing the rule chains? there /are/ 72 rules stubs
> >    in the so_rules directory and they were created from the compiled rules by
> >    snort's --dump-dynamic-rules option... did i miss a change in the
> >    so_rules/src/Makefile other than changing the SNORT_VERSION entry?
> >
> >
> > Those are dynamically activated rules as opposed to dynamically loaded rules.
> > Check here:
> >
> > http://manual.snort.org/node29.html#SECTION00421000000000000000
> > http://manual.snort.org/node29.html#SECTION00426000000000000000
>
> ahh! ok... perhaps that header can be changed to say "Dynamically Activated 
> rules" to clarify this? it might also be a nice idea to place an additional 
> category in the "XXX Snort rules read" section that states how many "Dynamically 
> loaded rules" there are in that total of rules read (and processed)??
>
> >    2. when i terminate snort, the "Packet I/O Totals" count of processed
> >    doesn't make sense. it says 4054 received and analyzed but the "Breakdown by
> >    protocol" says there were 4057. where did the extra three packets come from?
> >    it also reports 125 "Other" packets. how can i find out what they are or were?
> >
> > They are certain rebuilt packets counted here:
> >
> >      S5 G 2:            3 (  0.074%)
>
> ya know? i don't recall if i even saw that entry... sometimes it is kinda of 
> hard to break out the counts properly... one would normally think that they can 
> add up that whole column to come up with the same total but that's definitely 
> not the proper thing to do...
>
> can you provide a hint on what is considered as "Other" packets that my short 
> run turned up? 125 of them makes me curious as to what is going on on that box 
> that i'm not aware of ;)
>
> > Check here:
> >
> > http://manual.snort.org/node9.html#SECTION00273000000000000000
> >
> > I guess that should also state that packets flushed at shutdown are counted
> > there as well.
>
> that would be a good idea, as well ;)
>
> -- 
> NOTE: No off-list assistance is given without prior approval.
>       Please keep mailing list traffic on the list unless
>       private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!