|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] Spurious ALERT msgs in syslog
From: Martin Roesch (roesch
hiverworld.com)Date: Mon Mar 06 2000 - 16:01:39 CST
- Next message: Joey McAlerney: "Re: [snort] Can't get whisker scan to log"
- Previous message: Martin Roesch: "Re: [snort] Livelock with "nocase""
- Next in thread: Erich Meier: "Re: [snort] Spurious ALERT msgs in syslog"
- Reply: Erich Meier: "Re: [snort] Spurious ALERT msgs in syslog"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Erich Meier wrote:
>
> Feb 9 14:02:00 <SNORTHOST> snort[15126]: ALERT: W.X.Y.Z:1624 -> A.B.C.D:80
>
> This bug seems to be triggered by "session" keyword. When using rules like
> log tcp any any <> $INTERNAL 23 (session: all;)
> the packets are logged by the output plugins and reported as alerts like shown
> above. No session file is created, though.
>
> It seems, that the syslog_alert output plugin and the log.c standard mechanism
> do not work together very well.
>
> Can anyone confirm this?
This is caused by the complete suckage that is the output plugin system
in 1.6-beta10.2. I've completely rewritten it and it'll work much
better now. Stay tuned for the beta 11 announcement coming later
today....
-- Martin Roesch <roesch
- Next message: Joey McAlerney: "Re: [snort] Can't get whisker scan to log"
- Previous message: Martin Roesch: "Re: [snort] Livelock with "nocase""
- Next in thread: Erich Meier: "Re: [snort] Spurious ALERT msgs in syslog"
- Reply: Erich Meier: "Re: [snort] Spurious ALERT msgs in syslog"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]