Snort mailing list archives

Re: Snort works fine with community rules. After importing the complete set using oinkmaster, it fails to generate alerts

From: Y M <snort () outlook com>
Date: Mon, 29 Aug 2016 20:38:03 +0000

Does Oinkmaster handle rules policy? Obviously I am not familiar with Oinkmaster but it seems that there are no rules 
policies (security, balanced, connectivity) applied and rules are not being enabled.

YM

Sent from Mobile




On Mon, Aug 29, 2016 at 11:04 PM +0300, "Roy Turner" <royturner () uymail com<mailto:royturner () uymail com>> wrote:


Basically I configured my Snort and it works fine with the community-rules. Alerts arrive perfectly when doing a NMAP 
scan and other tests.

The problem is that after installing the registered version of the rules using oinkmaster, I do not receive any alert. 
I did add the rules with their path in the snort.conf file.

Status appears to be fine:

? snort.service - LSB: snort
   Loaded: loaded (/etc/init.d/snort)
   Active: active (running) since Mon 2016-08-29 15:34:37 EDT; 2min 41s ago
  Process: 6846 ExecStop=/etc/init.d/snort stop (code=exited, status=0/SUCCESS)
  Process: 6893 ExecStart=/etc/init.d/snort start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/snort.service
           ??6913 snort -i eth1 -c /etc/snort/snort.conf -s -D

Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_POP  Version 1.0  <Build 1>
Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
Aug 29 15:34:37 IDS snort[6913]: Commencing packet processing (pid=6913)


I haven't modified anything, except adding the rules using oinkmaster. If I rollback, it works fine with 
community-rules.

Anyone has any ideas? Sorry for being so unspecific, but I'm a bit lost here.

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort works fine with community rules. After importing the complete set using oinkmaster, it fails to generate alerts Roy Turner (Aug 29)
- Re: Snort works fine with community rules. After importing the complete set using oinkmaster, it fails to generate alerts Joel Esler (jesler) (Aug 29)
  - Re: Snort works fine with community rules. After importing the complete set using oinkmaster, it fails to generate alerts Roy Turner (Aug 30)
- Re: Snort works fine with community rules. After importing the complete set using oinkmaster, it fails to generate alerts Y M (Aug 29)
  - Re: Snort works fine with community rules. After importing the complete set using oinkmaster, it fails to generate alerts Shirkdog (Aug 29)
  - Re: Snort works fine with community rules. After importing the complete set using oinkmaster, it fails to generate alerts Joel Esler (jesler) (Aug 29)