Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort PCAP FRAMES Query

From: Seth Art <sethsec () gmail com>
Date: Fri, 30 Apr 2010 12:20:41 -0400
The PCAP_FRAMES message is benign in your case. It is just reminding
you that you are not using an "enhanced" pcap, like the one Phil Wood:
http://public.lanl.gov/cpw/

Secondly, the the 128-4 message means: Generator: 128, Signature: 4.
Generator 1 is the text based rules, Gen 3 are the shared object
rules, and the rest are mostly preprocessor rules (ie: http_inspect,
frag, telnet, etc)

Looks like you are generating sigs, just not any text based Gen 1 sigs
yet.  Try going to www.testmyids.com to see if that triggers a sig.

-Seth

On Fri, Apr 30, 2010 at 12:01 PM, Michael Sloan <sloan () caps fsu edu> wrote:

I'm still having fits with my Snort/Barnyard2/BASE/mySQL installation
under SUSE Linux Enterprise 11, and decided to recompile Snort with
--with-mysql --with-mysql-libraries=/usr/lib/mysql -- with
mysql-includes=/usr/include/mysql to see if possibly some of my issues
might go away -

Things like only seeing SSH Protocol Mismatch as the only reported error
(I cleared the records in BASE before starting with the newly compiled
snort binary) and links to information at snortid.com not even being in
the format used at that site. I see an entry of the form 128-4, whereas
snortid.com uses a X:YYYY format.

Using Snort 2.8.5.3, BASE-1.4.5, and Barnyard2-1.8...

What I noticed in the logs when I started snort is  Not using PCAP
FRAMES. Would this account for why attempting to drill down and look at
the packet information displayed an error? If so, where is this enabled?

I start snort with the following command line:

/usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -d -D -u snort

My output line in snort.conf is:

output unified2: filename snort.log, limit 128

And my barnyard2.conf output line is:
output database: alert, mysql, user=snort password=WildlySecretPassword
dbname=snort host=localhost

mySQL seems to be set up correctly, with 16+ tables in the snort
database and the user snort@localhost being able to authenticate to the
database.

I'm not sure where to go next in dealing with these problems. Any
suggestions or recommendations would be greatly appreciated.

--
Michael Sloan
Systems Administrator
FSU Center for Advanced Power Systems
sloan () caps fsu edu


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: