Snort mailing list archives
Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss)
From: Daniel Harrison <danielh () loudcloud com>
Date: Thu, 02 Aug 2001 08:48:14 -0700
I am running version 1.8-RELEASE (Build 43) running on linux kernel 2.2.19 and am not noticing this behavior. My snort logs and my apache logs agree on the same number. -dan Dragos Ruiu wrote:
Quick Isolation Q? Is everyone who is seeing this running under Linux? --dr On Wed, 01 Aug 2001, Jason Haar wrote:Can someone check this out? I've had snort running fine under Linux-2.4.x for some time now, but now I'm running 1.8.1-beta5 I'm seeing the same thing. Knowing CodeRed was out there, I checked my snort logs this morning to find that our Apache (:-) server had received ONE CodeRed hit. That didn't seem right so I checked it's logs. SIX hits. As with Matthew, snort detected the first one, and missed the next five... Sounds too much of a coincidence, anyone else see this? More info. Snort detected and reported other scans between the first and second CodeRed hits, so it was picking other things up... Snort-1.8.1-beta5, with http://snort.sourceforge.net/snortrules.tar.gz rules downloaded yesterday (yup, 20+ hours before CodeRed hit). Could the rules themselves be at fault? preprocessor stream4: detect_scans, keepstats, timeout 30, memcap 8388608 preprocessor stream4_reassemble: both, ports 21 23 25 53 80 3128 143 110 111 513 preprocessor unidecode: 80 3128 -unicode -cginull preprocessor frag2 On Wed, Aug 01, 2001 at 12:05:20PM -0500, Chris Green wrote:"Matthew Collins" <Matthew.Collins () northernregistrars co uk> writes:I've got snort 1.7 running on a Linux 2.2.19 (Debian) system. The code red worm is starting to get going now, and I've noticed an oddity. I've got one alert for .ida attempt in my snort log-- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linux and packet loss Matthew Collins (Aug 01)
- Re: Linux and packet loss Chris Green (Aug 01)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Dragos Ruiu (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Steve Williams (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Jason Haar (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Linux and packet loss Chris Green (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- <Possible follow-ups>
- Re: Linux and packet loss Matthew Collins (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Martin Roesch (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Phil Wood (Aug 02)
- ACID and MySQL questions Jason Lewis (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)