Jump to content

Upgraded IDS System Weird Alerts

mbrichetto
 Share

Recommended Posts

mbrichetto Newbie

mbrichetto

Posted
Posted

Last week I updated my version of WinSnort to Snort 2.9.7.6. I followed the tutorial and everything seems to be going just fine except for the type of traffic I am seeing, My WinSnort setup is running in a Windows 8.1 machine, using Apache and MySQL tutorial when it was originally created. I am not seeing the alerts in the WINIDS browser I usually would see. I attached a screenshot of some of the traffic that keeps displaying. This screenshot is just an example of the the type of traffic I am seeing. I don't know if this has anything to do with the latest rule set? I am also using pulled pork for updates. I noticed you updated in the forums that a lot of the companion programs were updated, which when I updated my WinSnort install I didn't re-download because it was before your post. With all of these moving components not really sure what I messed up.

Alerts for Snort.JPG

Morpheus Newbie

Morpheus

Posted
Posted

It appears you may only be seeing events from the preprocessors and not the rules. Make SURE you tested the rules after updating making SURE they were all read in. The number of rules will be in the output from the test.

  • 2 weeks later...
mbrichetto Newbie

mbrichetto

Posted
  • Author
Posted

I went ahead and started over by reusing my old winsnort folder.

I went through the steps again and I came across this error when testing the snort config file.

 

ids_whitelist_error.thumb.JPG.4214d14c56

I went ahead and checked line 507 in my snort config file and  below is the screenshot. Not sure how to proceed on this one.

 

 

 

line 507.JPG

Morpheus Newbie

Morpheus

Posted
Posted (edited)

You need to create the files in the folder. The tutorial had you create them on the initial install. If you deleted the rules folder than you removed the files.

Edited by Morpheus
mbrichetto Newbie

mbrichetto

Posted
  • Author
Posted

I couldn't find in the original tutorial where you stated that, but I did just manually create two files named white_list.rules and black_list.rules. Then running the snort check seemed to do it. Is that good enough or do I need to run some type of command line? I also notice I had a winids.rules in my old snort rules folder, but not in the new one.

Morpheus Newbie

Morpheus

Posted
Posted

I couldn't find in the original tutorial where you stated that, but I did just manually create two files named white_list.rules and black_list.rules. Then running the snort check seemed to do it. Is that good enough or do I need to run some type of command line? I also notice I had a winids.rules in my old snort rules folder, but not in the new one.

The winids.rules file is associated with Pulledpork.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...