Snort mailing list archives
A few pulledpork questions
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 13 Aug 2013 11:08:18 -0600
Hey all, First...seeing this when I run PP: Generating Stub Rules.... An error occurred: WARNING: threshold.conf(26) threshold (standalone) is deprecated; use event_filter instead. which is: threshold gen_id 138, sig_id 1000, type limit, track by_src, count 1, seconds 60 From the readme.thresholding: THRESHOLD EXAMPLES: ------------------ # Rule Threshold - Limit to logging 1 event per 60 seconds threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60 Why is the error occurring? What can I do to troubleshot this? Second... I've made a special snort.conf that has ALL rules, so I can get all the rules, but then enable/disable the ones I want within different configs. I have this in the config: var PREPROC_RULE_PATH /opt/etc/snort/preproc_rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules Yet these rules have never updated in the preproc_rules dir: -rw------- 1 18748 2011-09-07 14:47 decoder.rules -rw------- 1 36577 2011-09-07 14:47 preprocessor.rules -rw------- 1 1309 2011-09-07 14:47 sensitive-data.rules in latest snort rules: -rw-r--r-- 1 19685 2013-08-07 13:34 decoder.rules -rw-r--r-- 1 41474 2013-08-07 13:34 preprocessor.rules -rw-r--r-- 1 1309 2013-08-07 13:34 sensitive-data.rules Why? What can I do to troubleshoot this? Third... I'm running: PulledPork v0.6.1 the Smoking Pig <////~ Yet, if I comment out in pulledpork.conf: version=0.6.0 or change it to version=0.6.1 I get You are not using the current version of pulledpork.conf! Please use the version that shipped with PulledPork v0.6.1 the Smoking Pig <////~! Why must my pulledpork.conf have 0.6.0 as the version? Finally... I see Use of uninitialized value within %hcategory in numeric eq (==) at /opt/bin/pulledpork.pl line 1055. What can I do to troubleshoot this? Thank you for any help you can bring...sorry it's a long email. James ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- A few pulledpork questions James Lay (Aug 13)
- Re: A few pulledpork questions Y M (Aug 13)
- Re: A few pulledpork questions James Lay (Aug 13)
- Re: A few pulledpork questions Eoin Miller (Aug 13)
- Re: A few pulledpork questions James Lay (Aug 13)
- Re: A few pulledpork questions JJC (Aug 13)
- Re: A few pulledpork questions James Lay (Aug 13)
- Re: A few pulledpork questions JJC (Aug 13)
- Re: A few pulledpork questions James Lay (Aug 13)
- Re: A few pulledpork questions James Lay (Aug 13)
- Re: A few pulledpork questions Y M (Aug 13)