Snort mailing list archives
Re: Does multiple configs works with snort 2.9.7.5?
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Tue, 1 Sep 2015 13:41:16 +0000
On Tue, Sep 1, 2015 at 1:37 PM, Russ <rucombs () cisco com> wrote:
On 9/1/15 8:56 AM, C. L. Martinez wrote:On Mon, Aug 31, 2015 at 9:50 AM, C.L. Martinez <carlopmart () gmail com> wrote:On 08/31/2015 09:11 AM, waldo kitty wrote:On 08/30/2015 11:02 AM, C.L. Martinez wrote:Hi all, Exists some problem/bug with multiple configs in snort 2.9.7.5?? I have updated one of my sensors to this release and multiple configs doesn't works ... Always use the first config file defined in config binding section.https://www.snort.org/faq/how-do-i-ask-a-good-question-on-the-snort-list you have given us nothing to work with... we can't even make a start at WAGs...Ok, I have attached all config files implied plus the output of "snort -c snort.conf -T". As you can see in the output, I have defined a different logdir for both configs, but snort output only "sees" the default value "/var/log/snort" ... For bpf_filter options is the same. I need to define different bpf filters for both configs, but bpf_filter option is no t read by snort.logdir is not configurable by policy (same for most config options). Check here: http://manual.snort.org/node25.html#SECTION003102100000000000000
Them the only options configurable in multiple configs (apart of define rules and vars) are these: config checksum_drop config disable_decode_alerts config disable_decode_drops config disable_ipopt_alerts config disable_ipopt_drops config disable_tcpopt_alerts config disable_tcpopt_drops config disable_tcpopt_experimental_alerts config disable_tcpopt_experimental_drops config disable_tcpopt_obsolete_alerts config disable_tcpopt_obsolete_drops config disable_ttcp_alerts config disable_tcpopt_ttcp_alerts config disable_ttcp_drops ?? But If I remember well, in previous snort versions it would be possible to configure logdir and bpf filter file for every multiple config ... Isn't it?? ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Does multiple configs works with snort 2.9.7.5? C.L. Martinez (Aug 30)
- Re: Does multiple configs works with snort 2.9.7.5? C.L. Martinez (Aug 31)
- Re: Does multiple configs works with snort 2.9.7.5? waldo kitty (Aug 31)
- Re: Does multiple configs works with snort 2.9.7.5? C.L. Martinez (Aug 31)
- Re: Does multiple configs works with snort 2.9.7.5? C. L. Martinez (Sep 01)
- Re: Does multiple configs works with snort 2.9.7.5? Russ (Sep 01)
- Re: Does multiple configs works with snort 2.9.7.5? C. L. Martinez (Sep 01)
- Re: Does multiple configs works with snort 2.9.7.5? Russ (Sep 01)
- Re: Does multiple configs works with snort 2.9.7.5? C. L. Martinez (Sep 01)
- Re: Does multiple configs works with snort 2.9.7.5? C.L. Martinez (Aug 31)