[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Snort-users] A Couple of Questions

Title: Message
Lars,
 
It sounds to me like some bogus sensor information was placed into the db while your sensor was messed up.  I'm assuming that you are using MySQL?  I'm going off of the top of my head, so these commands might not be entirely accurate...
Log into MySQL from a command prompt (DOS box):
    mysql -u (username) -p
    type in the password
    connect db (db=database name, should be snort or something like it)
    select * from sensor;    (don't forget the semicolon at the end of the line)
    you should see 4 separate sensors....
    delete from sensor where sid=(the sid of the bogus sensor)
 
After that, ACID should only show one sensor.
-----Original Message-----
From: Lars Borland [mailto:lborland@TriadAssoc.com]
Sent: Thursday, January 30, 2003 5:22 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] A Couple of Questions

Hello everyone,
 
I've been using Snort v1.9.0 on a Win2K (SP3) box for about a month and a half now and have recently moved Snort onto a slightly faster machine with more RAM.  When I did this Win2K re-detected a bunch of things including a new/different NIC.  Initially Snort wouldn't work but I reinstalled WinPCap and I'm back in business again.  Since then, however, ACID shows 4 Sensors.  I only have one NIC and have deleted whatever "hidden" adapters were listed in device manager.  All my Alerts appear to be coming from Sensor #1.  How do I get rid of the 3 other bogus sensors?  I've looked pretty extensively online and through what documentation I could find but in most cases "sensors" is used interchangeably with an entire Snort machine, not just the NICs or instances of Snort you might have running.  Anyway, if anyone knew how to straighten this out I'd appreciate the info.  The 3 additional sensors don't appear to be hurting anything but I'd rather not have Snort listening attentively to 3 un-needed/unwanted dead-end connections.
 
2nd Question, does anyone know of any rules that listen for the death-throes of dying NICs.  The initial reason I began looking into Snort was to see if I could cost-effectively shed light on some of the hidden stuff that occurs within the pipes of networks.  In the past I've witnessed some nasty things happen due to a failing NIC spewing nonsense onto the network and I was wondering if it was possible to be alerted to such an event.  I realize this isn't as much of an issue in a switched environment but I'd still like to know when something like this occurs.  Is this something that's already covered in the current rulesets?  If so I probably just need to set up "sensors" on a couple of other switches.
 
Any help with this would be greatly appreciated.  Thanks.
 
Talk to you later, Lars.
questions/problems with archive to: webmaster@mcabee.org
Mail converted by MHonArc 2.5.12