Snort mailing list archives
Re: Anybody had this error? (John Ceballos)
From: "John Ceballos-contr" <John.Ceballos-contr () TRW COM>
Date: Wed, 16 Feb 2005 10:03:04 -0500
Thanks all for the help! Your advice about the snort.conf did the trick. Talk to you all later!
snort-users-request () lists sourceforge net 2/15/2005 5:23:51 PM >>>
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Stealth interface (Willy, Andrew) 2. RE: Stealth interface (Bob Konigsberg) 3. [Snort] Followup to "Looking to update rules" (Bob Konigsberg) 4. Sensors and alerts stop showing up in ACID (Bristol, Gary L.) 5. Re: Anybody had this error? (Edin Dizdarevic) 6. RE: Sensors and alerts stop showing up in ACID (Chris Vaughan) 7. RE: Sensors and alerts stop showing up in ACID (Bristol, Gary L.) --__--__-- Message: 1 From: "Willy, Andrew" <AWilly () eSMIL net> To: 'Bob Konigsberg' <bobkberg () networkeval com>, snort-users () lists sourceforge net Subject: RE: [Snort-users] Stealth interface Date: Tue, 15 Feb 2005 13:13:13 -0700 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C5139A.C70F04CE Content-Type: text/plain; charset="iso-8859-1" Does an interface without an IP address qualify as a stealth interface or is there more to it? Andrew -----Original Message----- From: Bob Konigsberg [mailto:bobkberg () networkeval com] Sent: Tuesday, February 15, 2005 12:59 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Stealth interface The basic purpose of the stealth interface is to prevent an attacker from knowing that you've got a monitoring box present. Typically, you'd have two or more interfaces, and the one you "talk" to with an IP address would not even be on the same network as the stealth interface. Bob _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Willy, Andrew Sent: Tuesday, February 15, 2005 11:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Stealth interface Hello, Would any of you mind explaining the need for, the setup, and the application of a stealth interface on an IDS box? I'm new to Snort and ID as a whole. Google returned interesting but seemingly incomplete information on the subject. Thanks Andrew NOTICE OF CONFIDENTIALITY-The information in this email, including attachments, may be confidential and/or privileged and may contain confidential health information. This email is intended to be reviewed only by the individual or organization named as addressee. If you have received this email in error please notify Scottsdale Medical Imaging, an affiliate of Southwest Diagnostic Imaging, LTD immediately - by return message to the sender or to support () esmil com - and destroy all copies of this message and any attachments. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Scottsdale Medical Imaging. Confidential health information is protected by state and federal law, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and related regulations. NOTICE OF CONFIDENTIALITY-The information in this email, including attachments, may be confidential and/or privileged and may contain confidential health information. This email is intended to be reviewed only by the individual or organization named as addressee. If you have received this email in error please notify Scottsdale Medical Imaging, an affiliate of Southwest Diagnostic Imaging, LTD immediately - by return message to the sender or to support () esmil com - and destroy all copies of this message and any attachments. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Scottsdale Medical Imaging. Confidential health information is protected by state and federal law, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and related regulations. ------_=_NextPart_001_01C5139A.C70F04CE Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=703120920-15022005><FONT face=Arial color=#0000ff size=2>Does an interface without an IP address qualify as a stealth interface or is there more to it?</FONT></SPAN></DIV> <DIV><SPAN class=703120920-15022005><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=703120920-15022005><FONT face=Arial color=#0000ff size=2>Andrew</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Bob Konigsberg [mailto:bobkberg () networkeval com]<BR><B>Sent:</B> Tuesday, February 15, 2005 12:59 PM<BR><B>To:</B> snort-users () lists sourceforge net<BR><B>Subject:</B> RE: [Snort-users] Stealth interface<BR><BR></FONT></DIV> <DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN class=571345719-15022005>The basic purpose of the stealth interface is to prevent an attacker from knowing that you've got a monitoring box present.</SPAN></FONT></DIV> <DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN class=571345719-15022005></SPAN></FONT> </DIV> <DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN class=571345719-15022005>Typically, you'd have two or more interfaces, and the one you "talk" to with an IP address would not even be on the same network as the stealth interface.</SPAN></FONT></DIV> <DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN class=571345719-15022005></SPAN></FONT> </DIV> <DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN class=571345719-15022005>Bob</SPAN></FONT></DIV><BR> <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left> <HR tabIndex=-1> <FONT face=Tahoma size=2><B>From:</B> snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] <B>On Behalf Of </B>Willy, Andrew<BR><B>Sent:</B> Tuesday, February 15, 2005 11:56 AM<BR><B>To:</B> snort-users () lists sourceforge net<BR><B>Subject:</B> [Snort-users] Stealth interface<BR></FONT><BR></DIV> <DIV></DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2>Hello,</FONT></SPAN></DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2>Would any of you mind explaining the need for, the setup, and the application of a stealth interface on an IDS box? I'm new to Snort and ID as a whole. Google returned interesting but seemingly incomplete information on the subject.</FONT></SPAN></DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2>Thanks</FONT></SPAN></DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2>Andrew</FONT></SPAN></DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=015425219-15022005><FONT face=Arial size=2></FONT></SPAN> </DIV> <P><FONT face=Arial size=2>NOTICE OF CONFIDENTIALITY-The information in this email, including attachments, may be confidential and/or privileged and may contain confidential health information. This email is intended to be reviewed only by the individual or organization named as addressee. If you have received this email in error please notify Scottsdale Medical Imaging, an affiliate of Southwest Diagnostic Imaging, LTD immediately - by return message to the sender or to support () esmil com - and destroy all copies of this message and any attachments. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Scottsdale Medical Imaging. Confidential health information is protected by state and federal law, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and related regulations.</FONT></P></BLOCKQUOTE></BODY></HTML> <P><FONT SIZE=2 FACE="Arial">NOTICE OF CONFIDENTIALITY-The information in this email, including attachments, may be confidential and/or privileged and may contain confidential health information. This email is intended to be reviewed only by the individual or organization named as addressee. If you have received this email in error please notify Scottsdale Medical Imaging, an affiliate of Southwest Diagnostic Imaging, LTD immediately - by return message to the sender or to support () esmil com - and destroy all copies of this message and any attachments. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Scottsdale Medical Imaging. Confidential health information is protected by state and federal law, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and related regulations.</FONT></P> ------_=_NextPart_001_01C5139A.C70F04CE-- --__--__-- Message: 2 From: "Bob Konigsberg" <bobkberg () networkeval com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Stealth interface Date: Tue, 15 Feb 2005 12:14:00 -0800 This is a multi-part message in MIME format. ------=_NextPart_000_0105_01C51357.D52CC250 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit That's a good place to start. One additional thing that some people do is to cut the transmit pair (or never connect them) so that the interface cannot be seen at all by other network hardware. Bob _____ From: Willy, Andrew [mailto:AWilly () eSMIL net] Sent: Tuesday, February 15, 2005 12:13 PM To: 'Bob Konigsberg'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Stealth interface Does an interface without an IP address qualify as a stealth interface or is there more to it? Andrew -----Original Message----- From: Bob Konigsberg [mailto:bobkberg () networkeval com] Sent: Tuesday, February 15, 2005 12:59 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Stealth interface The basic purpose of the stealth interface is to prevent an attacker from knowing that you've got a monitoring box present. Typically, you'd have two or more interfaces, and the one you "talk" to with an IP address would not even be on the same network as the stealth interface. Bob _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Willy, Andrew Sent: Tuesday, February 15, 2005 11:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Stealth interface Hello, Would any of you mind explaining the need for, the setup, and the application of a stealth interface on an IDS box? I'm new to Snort and ID as a whole. Google returned interesting but seemingly incomplete information on the subject. Thanks Andrew NOTICE OF CONFIDENTIALITY-The information in this email, including attachments, may be confidential and/or privileged and may contain confidential health information. This email is intended to be reviewed only by the individual or organization named as addressee. If you have received this email in error please notify Scottsdale Medical Imaging, an affiliate of Southwest Diagnostic Imaging, LTD immediately - by return message to the sender or to support () esmil com - and destroy all copies of this message and any attachments. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Scottsdale Medical Imaging. Confidential health information is protected by state and federal law, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and related regulations. NOTICE OF CONFIDENTIALITY-The information in this email, including attachments, may be confidential and/or privileged and may contain confidential health information. This email is intended to be reviewed only by the individual or organization named as addressee. If you have received this email in error please notify Scottsdale Medical Imaging, an affiliate of Southwest Diagnostic Imaging, LTD immediately - by return message to the sender or to support () esmil com - and destroy all copies of this message and any attachments. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Scottsdale Medical Imaging. Confidential health information is protected by state and federal law, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and related regulations. ------=_NextPart_000_0105_01C51357.D52CC250 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D657561220-15022005>That's a good place to = start.</SPAN></FONT></DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D657561220-15022005></SPAN></FONT> </DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D657561220-15022005>One additional thing that some people do is = to cut the=20 transmit pair (or never connect them) so that the interface cannot be = seen at=20 all by other network hardware.</SPAN></FONT></DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D657561220-15022005></SPAN></FONT> </DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D657561220-15022005>Bob</SPAN></FONT></DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> Willy, Andrew = [mailto:AWilly () eSMIL net]=20 <BR><B>Sent:</B> Tuesday, February 15, 2005 12:13 PM<BR><B>To:</B> 'Bob=20 Konigsberg'; snort-users () lists sourceforge net<BR><B>Subject:</B> RE:=20 [Snort-users] Stealth interface<BR></FONT><BR></DIV> <DIV></DIV> <DIV><SPAN class=3D703120920-15022005><FONT face=3DArial color=3D#0000ff = size=3D2>Does=20 an interface without an IP address qualify as a stealth interface or is = there=20 more to it?</FONT></SPAN></DIV> <DIV><SPAN class=3D703120920-15022005><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D703120920-15022005><FONT face=3DArial color=3D#0000ff = size=3D2>Andrew</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Bob Konigsberg=20 [mailto:bobkberg () networkeval com]<BR><B>Sent:</B> Tuesday, February = 15, 2005=20 12:59 PM<BR><B>To:</B> = snort-users () lists sourceforge net<BR><B>Subject:</B>=20 RE: [Snort-users] Stealth interface<BR><BR></FONT></DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D571345719-15022005>The basic purpose of the stealth interface = is to=20 prevent an attacker from knowing that you've got a monitoring box = present.</SPAN></FONT></DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D571345719-15022005></SPAN></FONT> </DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D571345719-15022005>Typically, you'd have two or more = interfaces, and the=20 one you "talk" to with an IP address would not even be on the same = network as=20 the stealth interface.</SPAN></FONT></DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D571345719-15022005></SPAN></FONT> </DIV> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D571345719-15022005>Bob</SPAN></FONT></DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> = snort-users-admin () lists sourceforge net=20 [mailto:snort-users-admin () lists sourceforge net] <B>On Behalf Of = </B>Willy,=20 Andrew<BR><B>Sent:</B> Tuesday, February 15, 2005 11:56 = AM<BR><B>To:</B>=20 snort-users () lists sourceforge net<BR><B>Subject:</B> [Snort-users] = Stealth=20 interface<BR></FONT><BR></DIV> <DIV></DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20 size=3D2>Hello,</FONT></SPAN></DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial = size=3D2>Would any of you=20 mind explaining the need for, the setup, and the application of a = stealth=20 interface on an IDS box? I'm new to Snort and ID as a = whole. =20 Google returned interesting but seemingly incomplete information = on the=20 subject.</FONT></SPAN></DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20 size=3D2>Thanks</FONT></SPAN></DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20 size=3D2>Andrew</FONT></SPAN></DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D015425219-15022005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <P><FONT face=3DArial size=3D2>NOTICE OF CONFIDENTIALITY-The = information in this=20 email, including attachments, may be confidential and/or privileged = and may=20 contain confidential health information. This email is intended to be = reviewed=20 only by the individual or organization named as addressee. If you have = received this email in error please notify Scottsdale Medical Imaging, = an=20 affiliate of Southwest Diagnostic Imaging, LTD immediately - by return = message=20 to the sender or to support () esmil com - and destroy all copies of this = message=20 and any attachments. Please note that any views or opinions presented = in this=20 email are solely those of the author and do not necessarily represent = those of=20 Scottsdale Medical Imaging. Confidential health information is = protected by=20 state and federal law, including, but not limited to, the Health = Insurance=20 Portability and Accountability Act of 1996 and related=20 regulations.</FONT></P></BLOCKQUOTE> <P><FONT face=3DArial size=3D2>NOTICE OF CONFIDENTIALITY-The information = in this=20 email, including attachments, may be confidential and/or privileged and = may=20 contain confidential health information. This email is intended to be = reviewed=20 only by the individual or organization named as addressee. If you have = received=20 this email in error please notify Scottsdale Medical Imaging, an = affiliate of=20 Southwest Diagnostic Imaging, LTD immediately - by return message to the = sender=20 or to support () esmil com - and destroy all copies of this message and any = attachments. Please note that any views or opinions presented in this = email are=20 solely those of the author and do not necessarily represent those of = Scottsdale=20 Medical Imaging. Confidential health information is protected by state = and=20 federal law, including, but not limited to, the Health Insurance = Portability and=20 Accountability Act of 1996 and related = regulations.</FONT></P></BODY></HTML> ------=_NextPart_000_0105_01C51357.D52CC250-- --__--__-- Message: 3 From: "Bob Konigsberg" <bobkberg () networkeval com> To: <snort-users () lists sourceforge net> Date: Tue, 15 Feb 2005 12:30:27 -0800 Subject: [Snort-users] [Snort] Followup to "Looking to update rules" This is a multi-part message in MIME format. ------=_NextPart_000_0117_01C5135A.2141EC40 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit First of all - Thank you to all of you who wrote with helpful suggestions. I finally have this working. Second, since nobody wanted any money for doing this, then I'll donate the $75 to the Free Software Foundation, It's worth it to me since this is part of a for-profit effort, and I feel that value received ought to be properly acknowledged. Third, I'll polish up the combined efforts of all you kind folks, and make it available on my web site as a PDF. If anyone is interested in proof reading or keystroking it (testing the instructions), please reply privately. I don't know when I'll get to this, but sometime in the next month or two. Bob ------=_NextPart_000_0117_01C5135A.2141EC40 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.5.7036.0"> <TITLE>[Snort] Followup to "Looking to update rules"</TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <P><FONT SIZE=3D2 FACE=3D"Arial">First of all - Thank you to all of you = who wrote with helpful suggestions. I finally have this = working.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Second, since nobody wanted any money = for doing this, then I'll donate the $75 to the Free Software = Foundation, It's worth it to me since this is part of a for-profit = effort, and I feel that value received ought to be properly = acknowledged.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Third, I'll polish up the combined = efforts of all you kind folks, and make it available on my web site as a = PDF. If anyone is interested in proof reading or keystroking it = (testing the instructions), please reply privately. I don't know = when I'll get to this, but sometime in the next month or two.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Bob</FONT> </P> </BODY> </HTML> ------=_NextPart_000_0117_01C5135A.2141EC40-- --__--__-- Message: 4 Date: Tue, 15 Feb 2005 15:35:19 -0600 From: "Bristol, Gary L." <gbristol () ou edu> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Sensors and alerts stop showing up in ACID I recently updated my sensors to snort 2.3.0. The problem I'm seeing on two different databases is that one of the sensors alerts and information shows up just fine but the other one, even though it's listed in the sensor table doesn't show as being there in the ACID page of sensors and no alerts from this sensor is showing up. On one database I completely removed the Snort db and recreated it from scratch, same problem, one sensor and it's alerts show up, the other doesn't. --__--__-- Message: 5 Date: Tue, 15 Feb 2005 22:38:12 +0100 From: Edin Dizdarevic <Edin.Dizdarevic () interActive-Systems de> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Anybody had this error? Hi, look at your snort.conf for a rule type you have defined there and remove it. Regards, Edin John Ceballos-contr schrieb:
Hello all!
:::
ERROR: ruletype redalert does not exist or has already been ordered.
... -- Edin Dizdarevic --__--__-- Message: 6 Subject: RE: [Snort-users] Sensors and alerts stop showing up in ACID Date: Tue, 15 Feb 2005 17:15:21 -0500 From: "Chris Vaughan" <chrisv () parkavebank com> To: "Bristol, Gary L." <gbristol () ou edu>, <snort-users () lists sourceforge net> Are you sure that in your barnyard.conf you are logging with two = different sensor_ids? -----Original Message----- From: snort-users-admin () lists sourceforge net = [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bristol, = Gary L. Sent: Tuesday, February 15, 2005 4:35 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Sensors and alerts stop showing up in ACID I recently updated my sensors to snort 2.3.0. The problem I'm seeing on two different databases is that one of the sensors alerts and information shows up just fine but the other one, even though it's listed in the sensor table doesn't show as being there in the ACID page of sensors and no alerts from this sensor is showing up. On one database I completely removed the Snort db and recreated it from scratch, same problem, one sensor and it's alerts show up, the other doesn't. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=3Dick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dort-users --__--__-- Message: 7 Subject: RE: [Snort-users] Sensors and alerts stop showing up in ACID Date: Tue, 15 Feb 2005 16:22:44 -0600 From: "Bristol, Gary L." <gbristol () ou edu> To: "Chris Vaughan" <chrisv () parkavebank com>, <snort-users () lists sourceforge net> Not using Barnyard for the output. The Sensor_id entry is in the Sensor Table of the Snort DB. This is information from two different sensors to a central DB that worked previously to upgrading to 2.3.0, although that might not be the problem, since I had been using it for about a week. It seemed to stop working after an signature upgrade, last week.=20 -----Original Message----- From: Chris Vaughan [mailto:chrisv () parkavebank com]=20 Sent: Tuesday, February 15, 2005 4:15 PM To: Bristol, Gary L.; snort-users () lists sourceforge net Subject: RE: [Snort-users] Sensors and alerts stop showing up in ACID Are you sure that in your barnyard.conf you are logging with two different sensor_ids? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bristol, Gary L. Sent: Tuesday, February 15, 2005 4:35 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Sensors and alerts stop showing up in ACID I recently updated my sensors to snort 2.3.0. The problem I'm seeing on two different databases is that one of the sensors alerts and information shows up just fine but the other one, even though it's listed in the sensor table doesn't show as being there in the ACID page of sensors and no alerts from this sensor is showing up. On one database I completely removed the Snort db and recreated it from scratch, same problem, one sensor and it's alerts show up, the other doesn't. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=3Dick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dort-users --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Anybody had this error? (John Ceballos) John Ceballos-contr (Feb 16)