Snort mailing list archives
Re: @empty rules files
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 14 Nov 2013 05:46:13 -0500
On 11/14/2013 5:16 AM, anagha b wrote:
I tried to log the snort response for icmp ping flood but I have to add the rule in local.rules file alert icmp any any -> any any (msg:"*ICMP test*"; classtype:bad-unknown; sid:10000016; rev:1;) barnyard giving following alert 11/14-15:22:01.905477 [**] [1:10000016:1] Snort Alert [1:10000016:1] [**] 11/14-15:22:02.036260 [**] [1:10000016:1] Snort Alert [1:10000016:1] [**] 11/14-15:22:02.037893 [**] [1:10000016:1] Snort Alert [1:10000016:1] [**] 11/14-15:22:02.189336 [**] [1:10000016:1] Snort Alert [1:10000016:1] [**] msg*icmp test* is not displayed .
this is because the sid-msg.map file is not updated with the sid, msg and other information... you have to update your sid-msg.map file...
I checked rule files are empty like ddos.rules , badtraffic.rules Is it okay to have empty rule files ?
yes... it generally means there are no rules in that 'category'...
I am not getting log inside snort.log. When I am not specifying rule inside local.rules.
have you tried the steps outlined in the FAQ for "no alerts"?
Or I have to specify my rules inside these empty files ? But I can include my file in snort.conf by writing my own rules then why to keep these empty files? or the snort-snapshot for rules is not properly extracted?
we cannot tell from your description... yes, you can specify rules in the conf... but this is not a very good thing to do which is why other files are included via the conf... can you provide a dir listing of your rules directory so we can at least see what files you have with their sizes and dates? -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- @empty rules files anagha b (Nov 14)
- Re: @empty rules files waldo kitty (Nov 14)
- <Possible follow-ups>
- @empty rules files anagha b (Nov 17)