Snort mailing list archives
Re: Snort is not seeing all traffic...
From: PJ-ML <p.jones.ml () xsb com>
Date: Fri, 09 May 2003 09:38:37 -0400
Thanks! Where would I get the book you referenced? Anyone?I also wanted to point out that I have only 1 output which is to mysql. I have the preprocessors that are set by default...are there one better than others? As for Rule set, I am assuming that I need to tune that based on what I am concerned about? Binary mode logging? Not sure about that...If I log in binary mode, can snort still be effective(Sorry if dumb question)?
Thanks for all the help so far in getting my snort to...well... snort. ~PJ At 10:15 PM 5/8/2003, Joesph Bowling wrote:
Per the Snort book from the IDS Sans course Faster Snort performance: pg 167 Binary mod logging reduced rule set Conservative settings for preprocessors limited number of output plugins NO screen printing, NO AscII loggingFrom: PJ-ML <p.jones.ml () xsb com> To: Matt Kettler <mkettler () evi-inc com>,snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort is not seeing all traffic... Date: Thu, 08 May 2003 21:42:44 -0400Thanks, VERY effective. I saw all the packets to the specific host...10167 packets received by filter, 2037 packets dropped by kernel. So it is seeing traffic to those "servers" that I thought it could not see before.With that said, I am thinking that either my IDS is too weak of a machine and it is dropping packets (at the wrong time) because it can not handle the load OR I have my snort configured incorrectly (which would not surprise me). I had someone use "Retina" to scan the host...from port scan to http attacks and I saw those packets scrolling in my term as well as when I was just using CIS-5.0.02 on those same hosts. Not sure what I am doing incorrectly.~PJAt 11:23 PM 5/7/2003 -0400, PJ-ML wrote:The ethernet link to hub and to other parts of the network are all 100. Could it be the speed of the server? I am lost in fog. Not sure where to go, I know that I must tune the server...but I do not know what to tune if it is not seeing even purposeful exploits...I will be more than happy to give any more info that anyone requires to help me figure this out except for the root password to my machine ;-)I'd first see if your snort box even has the packets sent to it, using the all-seeing tcpdump tool.run tcpdump -n -i (whatever interface) host (target of attack) and then re-run the attack.. does tcpdump spit out packets?As an example: snortbox # tcpdump -n -i eth0 host 10.1.1.1 testbox # attack 10.1.1.1snortbox should have packets from the attack dump to the screen. Note that the only reason I added -n to the tcpdump commandline is to prevent tcpdump from spending a long time trying to do reverse DNS lookups. If there's no DNS available tcpdump can hold off printing packets to the screen for a shockingly long time.------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort is not seeing all traffic... Joesph Bowling (May 08)
- Re: Snort is not seeing all traffic... PJ-ML (May 09)
- Re: Snort is not seeing all traffic... PJ-ML (May 09)
- <Possible follow-ups>
- Re: Snort is not seeing all traffic... Joesph Bowling (May 09)