Re: Snort works fine with community rules. After importing the complete set using oinkmaster, it fails to generate alerts

[Shirkdog <shirkdog () gmail com>]

There is an enhancement request for this support in pulledpork.

On Aug 29, 2016 4:40 PM, "Y M" <snort () outlook com> wrote:

> Does Oinkmaster handle rules policy? Obviously I am not familiar with
> Oinkmaster but it seems that there are no rules policies (security,
> balanced, connectivity) applied and rules are not being enabled.
>
> YM
>
> Sent from Mobile
>
>
>
>
> On Mon, Aug 29, 2016 at 11:04 PM +0300, "Roy Turner" <royturner () uymail com
> > wrote:
>
> Basically I configured my Snort and it works fine with the
> community-rules. Alerts arrive perfectly when doing a NMAP scan and other
> tests.
>
> The problem is that after installing the registered version of the rules
> using oinkmaster, I do not receive any alert. I did add the rules with
> their path in the snort.conf file.
>
> Status appears to be fine:
>
> ● snort.service - LSB: snort
>    Loaded: loaded (/etc/init.d/snort)
>    Active: active (running) since Mon 2016-08-29 15:34:37 EDT; 2min 41s ago
>   Process: 6846 ExecStop=/etc/init.d/snort stop (code=exited, status=0/SUCCESS)
>   Process: 6893 ExecStart=/etc/init.d/snort start (code=exited, status=0/SUCCESS)
>    CGroup: /system.slice/snort.service
>            └─6913 snort -i eth1 -c /etc/snort/snort.conf -s -D
>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_POP  Version 1.0  <Build 1>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
> Aug 29 15:34:37 IDS snort[6913]: Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
> Aug 29 15:34:37 IDS snort[6913]: Commencing packet processing (pid=6913)
>
> I haven't modified anything, except adding the rules using oinkmaster. If
> I rollback, it works fine with community-rules.
>
> Anyone has any ideas? Sorry for being so unspecific, but I'm a bit lost
> here.
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!