Snort mailing list archives
RE: Snort 2.1.0 with snortcenter v1.0
From: "Jim Cervantes" <jcervant () umbranetworks com>
Date: Fri, 19 Dec 2003 14:41:29 -0500
I encountered a lack of Snortcenter support for the window option when upgrading to 2.0.5, so I think you are merely seeing the divergence of snort with snortcenter. It doesn't appear that Snortcenter is being very actively supported, but I might be wrong about that. Even though Snortcenter complains when importing the affected rules, it still imports them into the rule database and will push them out to your sensors without the options it doesn't recognize. This is very unfortunate because you generally end up with under qualified rules that will fire when they shouldn't. Be aware of a particularly nasty problem I ran into recently with Snortcenter. Under certain circumstances Snortcenter will reorder multiple content options (and all the related sub-parameters). This will break a huge number of rules. It seems as though Snortcenter inadvertently depends on SELECT statements to return rows in the order they were INSTERTed. MySQL appears to oblige unless you have ever performed maintenance on the applicable tables. Don't ever run 'OPTIMIZE TABLE' on Snortcenter's content or uricontent tables (yes, uricontent has the same problem). I don't mean to get down at all on Snortcenter - it has proven useful for me. However, the lack of maintenance has become a growing concern. Jim -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Friesz, Ross Sent: Friday, December 19, 2003 2:13 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Snort 2.1.0 with snortcenter v1.0 Hello All, While trying to import snortrules-current.tar.gz using snortcenter, I get several database errors. Snortcenter says there are unknown Rule Options pcre, window, and isdataat. Has anyone come across this problem after upgrading to 2.1.0 and changing the config.php file in snortcenter to download snortrules-current.tar.gz instead of snortrules-stable.tar.gz? Thanks Ross Friesz ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.1.0 with snortcenter v1.0 Friesz, Ross (Dec 19)
- RE: Snort 2.1.0 with snortcenter v1.0 Jim Cervantes (Dec 19)