Snort mailing list archives
Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss)
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 09 Aug 2001 16:54:45 -0400
Could you try using the http_decode preprocessor instead of unidecode, that may be causing your problem (and they have approximately the same functionality at this point). Try it with that and let me know how it goes. Oh, and put frag2 before everything else, you're preprocessors are going to be run "out of order" otherwise (IOW, you probably want to do IP defragmentation before the others...) -Marty Jason Haar wrote:
Can someone check this out? I've had snort running fine under Linux-2.4.x for some time now, but now I'm running 1.8.1-beta5 I'm seeing the same thing. Knowing CodeRed was out there, I checked my snort logs this morning to find that our Apache (:-) server had received ONE CodeRed hit. That didn't seem right so I checked it's logs. SIX hits. As with Matthew, snort detected the first one, and missed the next five... Sounds too much of a coincidence, anyone else see this? More info. Snort detected and reported other scans between the first and second CodeRed hits, so it was picking other things up... Snort-1.8.1-beta5, with http://snort.sourceforge.net/snortrules.tar.gz rules downloaded yesterday (yup, 20+ hours before CodeRed hit). Could the rules themselves be at fault? preprocessor stream4: detect_scans, keepstats, timeout 30, memcap 8388608 preprocessor stream4_reassemble: both, ports 21 23 25 53 80 3128 143 110 111 513 preprocessor unidecode: 80 3128 -unicode -cginull preprocessor frag2 On Wed, Aug 01, 2001 at 12:05:20PM -0500, Chris Green wrote:"Matthew Collins" <Matthew.Collins () northernregistrars co uk> writes:I've got snort 1.7 running on a Linux 2.2.19 (Debian) system. The code red worm is starting to get going now, and I've noticed an oddity. I've got one alert for .ida attempt in my snort log-- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linux and packet loss Matthew Collins (Aug 01)
- Re: Linux and packet loss Chris Green (Aug 01)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Dragos Ruiu (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Steve Williams (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Jason Haar (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Linux and packet loss Chris Green (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- <Possible follow-ups>
- Re: Linux and packet loss Matthew Collins (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Martin Roesch (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Phil Wood (Aug 02)
- ACID and MySQL questions Jason Lewis (Aug 02)
- Re: ACID and MySQL questions meling (Aug 03)
- Re: Linux and packet loss Jason Haar (Aug 02)