Snort mailing list archives
Re: Snort won't generate alerts with single snort.rules file
From: Michael Wisniewski <wiz561 () gmail com>
Date: Thu, 6 Mar 2014 15:41:34 -0600
On Thu, Mar 6, 2014 at 8:23 AM, Anacleto Junior <suporte.anacleto () gmail com>wrote:
2014-02-28 16:22 GMT-03:00 SnortFan <SnortFan () yahoo com>: I got some errors like: WARNING: /etc/snort/rules/snort.rules(15678) GID 1 SID 24017 in rule duplicates previous rule. Ignoring old rule.
I've read that this is normal and not to worry about it.
But it moves on...
4539 Snort rules read (so I assume it is reading the
4208 detection rules
0 decoder rules
4 preprocessor rules
4212 Option Chains linked into 185 Chain Headers
0 Dynamic rules
So I kind of went some problems with alerts not alerting. For me, it
turned out to be me not setting the HOME_VAR up correctly. I would
recommend using "ANY" and see what happens. The other idea is what you
said above.... "0 decoder rules". I'll preface this with I'm not a snort
expert and still learning how it works. I'm wondering if nothing is
getting alerted because snort can't decode something. Here's what my
startup looked like....
23697 Snort rules read
20131 detection rules
150 decoder rules
268 preprocessor rules
20549 Option Chains linked into 1136 Chain Headers
0 Dynamic rules
As you can see, I have 150 decoder rules.
Also, for reference, you can see what my startup looks like here...
http://pastebin.com/ZGpEMj7t
Hopefully you can figure it out.
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort won't generate alerts with single snort.rules file Anacleto Junior (Feb 28)
- Message not available
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file waldo kitty (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file Michael Wisniewski (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)
- Message not available
- Re: Snort won't generate alerts with single snort.rules file Joel Esler (jesler) (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file Joel Esler (jesler) (Mar 06)
- Re: Snort won't generate alerts with single snort.rules file SnortFan (Mar 11)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 12)
- Re: Snort won't generate alerts with single snort.rules file SnortFan (Mar 12)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 13)
- Re: Snort won't generate alerts with single snort.rules file SnortFan (Mar 14)
- Re: Snort won't generate alerts with single snort.rules file Anacleto Junior (Mar 06)