Re: [Snort-users] help with rules - data capturing

From: Paul Melson <pmelson_at_nospam>
Date: Sun Dec 23 2007 - 21:05:49 GMT
To: "Timothy Ding" <iolabs@gmail.com>

On 12/21/07, Timothy Ding <iolabs@gmail.com> wrote:
> many thanks for the reply Paul, i still don't get any results from the rule,
> could it possibly be the version of snort (ver 2.3.3) that i am using?

Yes, I think it could. I second Joel's suggestion that you upgrade to Snort 2.8. I don't subscribe to the notion that you should automatically run the latest version of anything, but 2.8(.0.1) is a big improvement in performance and functionality from 2.7, let alone 2.3. And 2.3 is old enough that you are bound to run into problems with rules being published by Sourcefire or others.

If you are unable to upgrade from 2.3 for some reason, I recommend removing the flow: tag from my suggested rule as a first troubleshooting step.

PaulM

This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Rachmat Hidayat Al-Anshar: "[Snort-users] [HELP] snort stop processing on "Initializing rule chains" issue"
Previous message: Joel Esler: "[Snort-users] Fwd: [ASK] Silent Interface??"
In reply to: Timothy Ding: "Re: [Snort-users] help with rules - data capturing"
Next in thread: Timothy Ding: "Re: [Snort-users] help with rules - data capturing"
Reply: Timothy Ding: "Re: [Snort-users] help with rules - data capturing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]