Morgan,

Thanks for the info, that did the trick! It also appears that ACID
lists the sensors in reverse order from MySQL, i.e. Sensor 1 = Sensor 4,
Sensor 2 = Sensor 3, and vice versa. What was showing up as coming from
Sensor 1 (ACID) was actually coming from Sensor 4 (MySQL). Anyway, just
thought I'd add that for anyone working with this in the future. I
actually ended up deleting the wrong sensor/s initially but the right
one got added back in automatically. So... I suppose I could've
deleted them all and been fine anyways. I tested things afterwards and
my remaining sensor works fine. :)

Does anyone have an answer to my 2nd question?

Has anyone written a rule for, or been able to use Snort to detect signs
of a failing NIC? I don't know the terminology off-hand but a dying NIC
may start to "yell" at the network, causing the surrounding NICs to
spend a lot of time dropping packets not specifically destined for them
(they still have to look at the packets to know to drop them). The NIC
on the offending machine still appears to work somewhat but performance
on the machine is very poor. Also, the surrounding network (whatever is
in the same collision domain) will suffer. Incoming tech calls will be
something like "Are things running kind of slow today?". I've dealt
with this sort of thing in the past and have luckily come across the
failing NIC by chance. I'd like to be able to pinpoint this sort of
thing more easily using Snort if at all possible. Please let me know if
you're aware of any such rule.

Thanks again, Lars.

-----Original Message-----
From: Morgan R. Elmore
Sent: Thursday, January 30, 2003 3:20 PM
To: Lars Borland; snort-userslists.sourceforge.net
Subject: RE: [Snort-users] A Couple of Questions

Lars,

It sounds to me like some bogus sensor information was placed into the
db while your sensor was messed up. I'm assuming that you are using
MySQL? I'm going off of the top of my head, so these commands might not
be entirely accurate...
Log into MySQL from a command prompt (DOS box):
    mysql -u (username) -p
    type in the password
    connect db (db=database name, should be snort or something like it)
    select * from sensor; (don't forget the semicolon at the end of
the line)
    you should see 4 separate sensors....
    delete from sensor where sid=(the sid of the bogus sensor)

After that, ACID should only show one sensor.

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]