[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] solving some warning
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2016-12-12 15:37:31
Message-ID: BDD86D9D-6357-4780-93C3-179F170316C5 () cisco ! com
[Download RAW message or body]
Are you downloading and using the community ruleset + the registered/subscriber \
ruleset? This is what typically causes this. You have two copies of the same rule. \
This is totally fine. Snort will use the newest version of the rule by default.
So, for instance, if the community version (updated daily) is at rev:2;, and the \
registered version is at rev:1;. Snort will use the rev:2; of the version, and you \
will receive this version.
Check out this blog post:
http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html
--
Joel Esler | Talos: Manager | jesler@cisco.com<mailto:jesler@cisco.com>
On Dec 10, 2016, at 2:31 AM, Ikenna Chiadikaobi \
<reniykec@yahoo.com<mailto:reniykec@yahoo.com>> wrote:
attach is a result of dataset analysis, there are some list of warning , whats the \
way out of them :-
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
WARNING: rules/malware-cnc.rules(3256) GID 1 SID 39574 in rule duplicates previous \
rule. Ignoring old rule.
WARNING: rules/malware-cnc.rules(3257) GID 1 SID 39573 in rule duplicates previous \
rule. Ignoring old rule.
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
WARNING: flowbits key 'file.png' is checked but not ever set.
WARNING: flowbits key 'file.jar' is checked but not ever set.
WARNING: flowbits key 'file.realplayer.playlist' is set but not ever
<exam2.txt>------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net<mailto:Snort-users@lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;" class=""> Are you downloading and using the community ruleset \
+ the registered/subscriber ruleset? This is what typically causes this. \
You have two copies of the same rule. This is <i class="">totally \
fine</i>. Snort will use the <i class="">newest version</i> of the rule by \
default. <div class=""><br class="">
</div>
<div class="">So, for instance, if the community version (updated daily) is at \
rev:2;, and the registered version is at rev:1;. Snort will use the rev:2; of \
the version, and you will receive this version. </div> <div class=""><br \
class=""> </div>
<div class="">Check out this blog post: </div>
<div class=""><br class="">
</div>
<div class=""><a href="http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html" \
class="">http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html</a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
class=""><b style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><font \
color="#5e5e5e" class="">--</font></b></div> <div style="font-size: 14px;" \
class=""><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font \
color="#5e5e5e" class="">Joel Esler </font></b><span style="font-family: \
Calibri, sans-serif; font-size: 12px;" class="">| </span><b style="font-family: \
Calibri, sans-serif; font-size: 12px;" class=""><font color="#0096ff" \
class="">Talos:</font></b><span style="font-family: Calibri, sans-serif; font-size: \
12px;" class=""> M</span><font color="#424242" style="font-family: Calibri, \
sans-serif; font-size: 12px;" class="">anager | <a \
href="mailto:jesler@cisco.com" class="">jesler@cisco.com</a></font></div> <div \
class=""><font color="#424242" style="font-family: Calibri, sans-serif; font-size: \
10px;" class=""><br class=""> </font></div>
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Dec 10, 2016, at 2:31 AM, Ikenna Chiadikaobi <<a \
href="mailto:reniykec@yahoo.com" class="">reniykec@yahoo.com</a>> wrote:</div> <br \
class="Apple-interchange-newline"> <div class="">
<div class="">
<div style="background-color: rgb(255, 255, 255); font-family: HelveticaNeue, \
'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 16px;" \
class=""> <div id="yui_3_16_0_ym19_1_1481310717335_10805" dir="ltr" class="">attach \
is a result of dataset analysis, there are some list of warning , whats the way out \
of them :- </div> <div id="yui_3_16_0_ym19_1_1481310717335_10805" dir="ltr" \
class=""><br class=""> </div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_15822" class="">Loading dynamic \
engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done</div> <div \
dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_15823" class="">Loading all dynamic \
detection libs from /usr/local/lib/snort_dynamicrules...</div> <div dir="ltr" \
id="yui_3_16_0_ym19_1_1481310717335_15824" class="">WARNING: No dynamic libraries \
found in directory /usr/local/lib/snort_dynamicrules. </div> <div dir="ltr" \
id="yui_3_16_0_ym19_1_1481310717335_15824" class=""><br class=""> </div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_15824" class=""><br class="">
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_15824" class=""><br class="">
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_12577" class="">WARNING: \
rules/malware-cnc.rules(3256) GID 1 SID 39574 in rule duplicates previous rule. \
Ignoring old rule.</div> <div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_12578" \
class=""><br id="yui_3_16_0_ym19_1_1481310717335_12579" class=""> </div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_12580" class="">WARNING: \
rules/malware-cnc.rules(3257) GID 1 SID 39573 in rule duplicates previous rule. \
Ignoring old rule.</div> <div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_12580" \
class=""><br class=""> </div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_12580" class=""><br class="">
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_12580" class=""><br class="">
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_14138" class="">Rule application \
order: activation->dynamic->pass->drop->sdrop->reject->alert->log</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1481310717335_14139" class="">Verifying \
Preprocessor Configurations!</div> <div dir="ltr" \
id="yui_3_16_0_ym19_1_1481310717335_14140" class="">WARNING: flowbits key 'file.png' \
is checked but not ever set.</div> <div dir="ltr" \
id="yui_3_16_0_ym19_1_1481310717335_14141" class="">WARNING: flowbits key 'file.jar' \
is checked but not ever set.</div> <div dir="ltr" \
id="yui_3_16_0_ym19_1_1481310717335_14142" class="">WARNING: flowbits key \
'file.realplayer.playlist' is set but not ever</div> </div>
</div>
<span id="cid:f0c3b775-2091-572c-e4ef-d781d5da66ae@yahoo.com"><exam2.txt></span> \
------------------------------------------------------------------------------<br \
class=""> Developer Access Program for Intel Xeon Phi Processors<br class="">
Access to Intel Xeon Phi processor-based developer platforms.<br class="">
With one year of Intel Parallel Studio XE.<br class="">
Training and support from Colfax.<br class="">
Order your platform today.<a \
href="http://sdm.link/xeonphi_______________________________________________" \
class="">http://sdm.link/xeonphi_______________________________________________</a><br \
class=""> Snort-users mailing list<br class="">
<a href="mailto:Snort-users@lists.sourceforge.net" \
class="">Snort-users@lists.sourceforge.net</a><br class=""> Go to this URL to change \
user options or unsubscribe:<br class=""> \
https://lists.sourceforge.net/lists/listinfo/snort-users<br class=""> Snort-users \
list archive:<br class=""> \
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br class=""> <br \
class=""> Please visit http://blog.snort.org to stay current on all the latest Snort \
news!</div> </blockquote>
</div>
<br class="">
</div>
</body>
</html>
[Attachment #4 (--===============2291177585864164386==)]
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic