Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet

[Dr SuSE <drsuse () drsuse org>]

I compared my snort logs to dragon reports in regard to code red worm alerts 
and the numbers matched.   This was on 1.8.1beta3 build 50

> I am running version 1.8-RELEASE (Build 43) running on linux kernel 2.2.19 
and am
> not noticing this behavior. My snort logs and my apache logs agree on the same
> number.
>
> -dan
>
> Dragos Ruiu wrote:
>
> > Quick Isolation Q?
> >
> > Is everyone who is seeing this running under Linux?
> >
> > --dr
> >
> > On Wed, 01 Aug 2001, Jason Haar wrote:
> > > Can someone check this out? I've had snort running fine under Linux-2.4.x
> > > for some time now, but now I'm running 1.8.1-beta5 I'm seeing the same 
thing.
> > > Knowing CodeRed was out there, I checked my snort logs this morning to 
find
> > > that our Apache (:-) server had received ONE CodeRed hit. That didn't seem
> > > right so I checked it's logs. SIX hits.
> > >
> > > As with Matthew, snort detected the first one, and missed the next five...
> > >
> > > Sounds too much of a coincidence, anyone else see this?
> > >
> > > More info. Snort detected and reported other scans between the first and
> > > second CodeRed hits, so it was picking other things up...
> > >
> > >
> > > Snort-1.8.1-beta5, with http://snort.sourceforge.net/snortrules.tar.gz 
rules
> > > downloaded yesterday (yup, 20+ hours before CodeRed hit). Could the rules
> > > themselves be at fault?
> > >
> > > preprocessor stream4: detect_scans, keepstats, timeout 30, memcap 8388608
> > > preprocessor stream4_reassemble: both, ports 21 23 25 53 80 3128 143 110 
111
> > > 513
> > > preprocessor unidecode: 80 3128 -unicode -cginull
> > > preprocessor frag2
> > >
> > >
> > >
> > >
> > > On Wed, Aug 01, 2001 at 12:05:20PM -0500, Chris Green wrote:
> > > > "Matthew Collins" <Matthew.Collins () northernregistrars co uk> writes:
> > > >
> > > > > I've got snort 1.7 running on a Linux 2.2.19 (Debian) system.
> > > > >
> > > > > The code red worm is starting to get going now, and I've noticed an
> > > > > oddity. I've got one alert for .ida attempt in my snort log
> > >
> > > --
> > > Cheers
> > >
> > > Jason Haar
> > >
> > > Unix/Special Projects, Trimble NZ
> > > Phone: +64 3 9635 377 Fax: +64 3 9635 417
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


Score my PGP key @
http://www.drsuse.org/pks

---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users