RE: [Snort-users] Problems with Policy-Based Rules file

Hi Alex --

I ran the ps -ef |grep snort command syntax and it does appear the snort binary
is
running with the -o option.

-----Original Message-----
From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher@bristol.ac.uk]
Sent: Thursday, November 04, 2004 4:02 AM
To: Kaplan, Andrew H.; Snort User Group (E-mail)
Subject: Re: [Snort-users] Problems with Policy-Based Rules file




--On 03 November 2004 14:16 -0500 "Kaplan, Andrew H."
<AHKAPLAN@PARTNERS.ORG> wrote:

> 1. Two servers with the addresses of 192.168.2.2 and 192.168.2.3 are
> sending requests via port 1985 to the 226.0.0.2:1985 multicast address
> via UDP. I added a section to the file that calls for a pass of said
> traffic from both servers via TCP and UDP. Even though I added it to the
> file, I am still getting a large amount of alerts from both machines.

[snip]

> The version of Snort that is being run is version 2.1.3, and the syntax
> used to run the program is /usr/sbin/snort -o -u snort -g snort -d -D -c
> /etc/snort/snort.conf -i eth0

That would appear to indicate that the '-o' ("pass first") option isn't
working. Use ps to verify that Snort is *really* running with the -o option.

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users