Snort mailing list archives

Re: @empty rules files

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 14 Nov 2013 05:46:13 -0500

On 11/14/2013 5:16 AM, anagha b wrote:

I tried to log the snort response for icmp ping flood but I have to add the rule in

local.rules file

alert icmp any any -> any any (msg:"*ICMP test*"; classtype:bad-unknown;
sid:10000016; rev:1;)

barnyard giving following alert

11/14-15:22:01.905477  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
11/14-15:22:02.036260  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
11/14-15:22:02.037893  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
11/14-15:22:02.189336  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]


msg*icmp test* is not displayed .


this is because the sid-msg.map file is not updated with the sid, msg and other 
information... you have to update your sid-msg.map file...

I checked  rule files are empty like ddos.rules , badtraffic.rules

Is it okay to have empty rule files ?


yes... it generally means there are no rules in that 'category'...

I am not getting log inside snort.log.
When I am not specifying rule inside local.rules.


have you tried the steps outlined in the FAQ for "no alerts"?

Or I have to specify my rules inside these empty files ? But I can include my
file in snort.conf by writing my own rules then why to keep these empty files?
or  the snort-snapshot for rules is not properly extracted?


we cannot tell from your description... yes, you can specify rules in the 
conf... but this is not a very good thing to do which is why other files are 
included via the conf... can you provide a dir listing of your rules directory 
so we can at least see what files you have with their sizes and dates?


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

@empty rules files anagha b (Nov 14)
- Re: @empty rules files waldo kitty (Nov 14)
- <Possible follow-ups>
- @empty rules files anagha b (Nov 17)