Snort mailing list archives
Re: MySQL support for Snort 2.9.4
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 12 Dec 2012 09:10:55 -0500
On 12/11/2012 16:26, Kaya Saman wrote:
I still get the flow bit errors as PP from above only enabled 24.
PP's flowbit resolving only goes one way... if a rule checks for a flowbit, PP will enable the rule(s) that set that flowbit... this fixes the "flowbit is checked but never set" warning... if a rule sets a flowbit and there are no rules to check it, PP will not enable those checking rules... snort will still alert that "flowbit is set but never checked"... this is something manual that you will have to handle by either turning off that rule or turning on at least one of those that checks that flowbit...
In the log file I noticed that I got a bunch of "unkown message" entries so I don't know if that's got anything to do with it?
we'd have to see a log snippet of what you are talking about...
Using the -k none option as suggested previously I don't get any more 'Bad chck sum' errors but I still don't get anything logged either?
how is snort connected to the traffic flow? thru a span port or a switch or hub?
Previously when I used version 2.8.6 with the Emerging Threats ruleset even when run for a few seconds Base would just spike with occurrences, mainly for p2p icmp packets. Basically it's still not working :-(
yup, something's just not right yet... the biggest change between 2.8.6 and 2.9 is the use of the DAQ stuff... that and the removal of the database output stuff... however, there is something about this logging thing that is problematic... i see it quite often on new installations of our packaged environment... several times we've thought we've found the definitive answer to fix it but while it works for some, it doesn't for others... and then another fix will work for them but there are still more how are not getting logging... we're still looking at it in our stuff since we are including snort in our packaged environment and folks come to us for help with it... one day we will find it... ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: MySQL support for Snort 2.9.4, (continued)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)