Re: Nothing written to snort logfiles

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Too be honest, I don't know anything about snort. :)  I just was looking
at another users snort.conf cause of the strange error he posted and saw
the coding problem via the source(AKA force).

--- James Sinnamon <jp...@we...> wrote:
> Mike,
> 
> Thanks for the information and the useful regexp. 
> 
> I can't quite work out what was happening yesterday.  I think I removed
> any  /^#.*\\$/ lines which were intermingled between one line with a 
> continuation character and its continuation line.
> 
> As I wrote on the snort-users list:
> 
> I have been able to reach first base by adding the following rule: 
> 
>     alert tcp any any -> any any (msg:"ANY PROBE any attempt";)
> 
> .... to /etc/snort/rules/experimental.rules, which is included in 
> /etc/snort/snort.conf.  
> 
> Of course this causes a flood of messages 
> and warnings, but at least I can see that Snort is responding to 
> attempted and actual connections made to my firewall computer 
> ports.  
> 
> Conversely, removing the above rule causes the flood of warnings  
> to diminish to practically nothing.
> 
> I am still not sure why the nmap probes referred to earlier 
> did not trigger any messages, but at least  I now have some
> ability to test cause and effect.
> 
> 
> 
> If, from now on, the presence of any /^#.*\\$/ lines causes a problem, 
> which I can reproduce I will open a bug report as you suggested.
> 
> Thanks for your help.
> 
> Best regards,
> 
> James
> 
> 
>  
> On Wed, 16 Jun 2004 04:36 am, Mike Mestnik wrote:
> > If you read the archives of June 14-15(just 2 days agoe) you will see
> that
> > we suspect any line in the form of /^#.*\\$/ to cause bad behaviour.
> > These comments are getting meesed up by the cuntinue operator '\'.
> >
> > What's worse is that these comment lines most likely contain valid
> code.
> > Thus the error is in a line much greater than the comment that caused
> the
> > error.
> >
> > This could be something that just sliped into the latesed release. 
> Try
> > running an older version and see if the problem persits, also get in
> touch
> > with the other person who had simular problems.  See if there is a
> Debian
> > bug repot, if not work with the other person too open one.
> >
> > --- James Sinnamon <jp...@we...> wrote:
> > > Dear Debian firewallers,
> > >
> > > I am not getting anything written to my log files.
> 
> <snip/>
> 
> 
> -- 
> James Sinnamon
> jps at westnet com auStralia
> ph +61 412 319669, +61 2 95692123, +61 2 95726357
> 

__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail