Snort mailing list archives
RE: snort with 2 nics - collecting only UDP data
From: "Tinu Patel" <tinu.patel () insignis com>
Date: Tue, 27 Nov 2001 14:19:12 -0600
Thanks....hopefully this will help me out.....but the thing that is confusing me is that why would it still work fine with the external interface, but not the internal interface connected to the LAN? The configuration is exactly the same, only the ip addresses are different! Tinu -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Tuesday, November 27, 2001 2:15 PM To: Tinu Patel Subject: RE: [Snort-users] snort with 2 nics - collecting only UDP data Check your snort.conf file: look for these lines in the first half of the file (each has large comment blocks following it describing what they do) preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull Disable them by adding a # to the beginning of the line At 03:07 PM 11/27/2001, you wrote: What is spp_stream4 and http_decode? How do I disable them? -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Tuesday, November 27, 2001 1:54 PM To: Tinu Patel Subject: RE: [Snort-users] snort with 2 nics - collecting only UDP data Do you have spp_stream4 on? this does some stateful inspection and filters a lot of harmless garbage out, but it also means that unless the packets you are observing wind up with established connections they may not be processed by your log rule. If your desire is to log everything I'd disable all the spp_stream* preprocessors and the http_decode one. I'd also consider disabling the fragmentation processors. Those suggestions aside, I'd try getting the system working with snorts default logging first, then switch to acid/mysql. This will take mysql and acid setup problems out of the possible sources of your problem. Once it works with the default logging, if it stops working when you enable acid, it's likely an acid/mysql setup problem. Unfortunately I can't help you with those problems, I use the default logging and snortsnarf. At 02:34 PM 11/27/2001, you wrote: Thanks a lot for the feedback&&.i removed the extra any from the snort.conf file&&and I am using log because I am entering data into a mysql database and using ACID as a front end. In my snort.conf file if I do :
Current thread:
- snort with 2 nics - collecting only UDP data Tinu Patel (Nov 27)
- <Possible follow-ups>
- RE: snort with 2 nics - collecting only UDP data Tinu Patel (Nov 27)
- RE: snort with 2 nics - collecting only UDP data Tinu Patel (Nov 27)
- RE: snort with 2 nics - collecting only UDP data Erek Adams (Nov 27)
- RE: snort with 2 nics - collecting only UDP data Tinu Patel (Nov 27)
- RE: snort with 2 nics - collecting only UDP data Erek Adams (Nov 27)