Lars,
 
It sounds to me like some bogus sensor information was placed into the db
while your sensor was messed up. I'm assuming that you are using MySQL?
I'm going off of the top of my head, so these commands might not be entirely
accurate...
Log into MySQL from a command prompt (DOS box):
    mysql -u (username) -p
    type in the password
    connect db (db=database name, should be snort or something like it)
    select * from sensor; (don't forget the semicolon at the end of the
line)
    you should see 4 separate sensors....
    delete from sensor where sid=(the sid of the bogus sensor)
 
After that, ACID should only show one sensor.

-----Original Message-----
From: Lars Borland [mailto:lborlandTriadAssoc.com]
Sent: Thursday, January 30, 2003 5:22 PM
To: snort-userslists.sourceforge.net
Subject: [Snort-users] A Couple of Questions

Hello everyone,
 
I've been using Snort v1.9.0 on a Win2K (SP3) box for about a month and a
half now and have recently moved Snort onto a slightly faster machine with
more RAM. When I did this Win2K re-detected a bunch of things including a
new/different NIC. Initially Snort wouldn't work but I reinstalled WinPCap
and I'm back in business again. Since then, however, ACID shows 4 Sensors.
I only have one NIC and have deleted whatever "hidden" adapters were listed
in device manager. All my Alerts appear to be coming from Sensor #1. How
do I get rid of the 3 other bogus sensors? I've looked pretty extensively
online and through what documentation I could find but in most cases
"sensors" is used interchangeably with an entire Snort machine, not just the
NICs or instances of Snort you might have running. Anyway, if anyone knew
how to straighten this out I'd appreciate the info. The 3 additional
sensors don't appear to be hurting anything but I'd rather not have Snort
listening attentively to 3 un-needed/unwanted dead-end connections.
 
2nd Question, does anyone know of any rules that listen for the death-throes
of dying NICs. The initial reason I began looking into Snort was to see if
I could cost-effectively shed light on some of the hidden stuff that occurs
within the pipes of networks. In the past I've witnessed some nasty things
happen due to a failing NIC spewing nonsense onto the network and I was
wondering if it was possible to be alerted to such an event. I realize this
isn't as much of an issue in a switched environment but I'd still like to
know when something like this occurs. Is this something that's already
covered in the current rulesets? If so I probably just need to set up
"sensors" on a couple of other switches.
 
Any help with this would be greatly appreciated. Thanks.
 
Talk to you later, Lars.

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]