Sign in to follow this  
Followers 0
mbrichetto

Upgraded IDS System Weird Alerts

6 posts in this topic

Last week I updated my version of WinSnort to Snort 2.9.7.6. I followed the tutorial and everything seems to be going just fine except for the type of traffic I am seeing, My WinSnort setup is running in a Windows 8.1 machine, using Apache and MySQL tutorial when it was originally created. I am not seeing the alerts in the WINIDS browser I usually would see. I attached a screenshot of some of the traffic that keeps displaying. This screenshot is just an example of the the type of traffic I am seeing. I don't know if this has anything to do with the latest rule set? I am also using pulled pork for updates. I noticed you updated in the forums that a lot of the companion programs were updated, which when I updated my WinSnort install I didn't re-download because it was before your post. With all of these moving components not really sure what I messed up.

Alerts for Snort.JPG

Share this post


Link to post
Share on other sites

It appears you may only be seeing events from the preprocessors and not the rules. Make SURE you tested the rules after updating making SURE they were all read in. The number of rules will be in the output from the test.

Share this post


Link to post
Share on other sites

I went ahead and started over by reusing my old winsnort folder.

I went through the steps again and I came across this error when testing the snort config file.

 

ids_whitelist_error.thumb.JPG.4214d14c56

I went ahead and checked line 507 in my snort config file and  below is the screenshot. Not sure how to proceed on this one.

 

 

 

line 507.JPG

Share this post


Link to post
Share on other sites

You need to create the files in the folder. The tutorial had you create them on the initial install. If you deleted the rules folder than you removed the files.

Edited by Morpheus

Share this post


Link to post
Share on other sites

I couldn't find in the original tutorial where you stated that, but I did just manually create two files named white_list.rules and black_list.rules. Then running the snort check seemed to do it. Is that good enough or do I need to run some type of command line? I also notice I had a winids.rules in my old snort rules folder, but not in the new one.

Share this post


Link to post
Share on other sites

I couldn't find in the original tutorial where you stated that, but I did just manually create two files named white_list.rules and black_list.rules. Then running the snort check seemed to do it. Is that good enough or do I need to run some type of command line? I also notice I had a winids.rules in my old snort rules folder, but not in the new one.

The winids.rules file is associated with Pulledpork.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0