Snort mailing list archives
RE: Not Picking up Much WHY "I am pulling outmyhair"
From: "Elijah Savage" <esavage () digitalrage org>
Date: Mon, 13 Oct 2003 21:45:44 -0400
It does not seem like snort is logging or generating alerts please see below what would cause this? Snort analyzed 1594 out of 1594 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 1403 (88.018%) ALERTS: 0 UDP: 98 (6.148%) LOGGED: 0 ICMP: 28 (1.757%) PASSED: 0 ARP: 4 (0.251%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 61 (3.827%) DISCARD: 0 (0.000%) ======================================================================== ======= Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ======================================================================== ======= Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ======================================================================== ======= TCP Stream Reassembly Stats: TCP Packets Used: 1403 (88.018%) Stream Trackers: 22 Stream flushes: 16 Segments used: 41 Stream4 Memory Faults: 0 ======================================================================== ======= Snort exiting -----Original Message----- From: John Creegan [mailto:jcreegan () questarweb com] Sent: Monday, October 13, 2003 4:29 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Not Picking up Much WHY "I am pulling outmyhair" It's probably about time I start contributing, so here goes... I don't think you need to look at both. As I understand this at the moment, the alert file is contains only a subset of the data that snort "logs". (I think the term "log" is a bit overused, too :-), but I don't have a better idea so I'm not complaining. I just got barnyard up and running late last week. I'm outputting only the snort log file, not the snort alert file. The number of alerts I've gotten this last weekend is quite comparable to the number of alerts I would expect to get in my previous configuration of reporting snort events directly to a DB. My recommendation? Don't output the alert file.
<esavage () digitalrage org> 10/13/03 03:11PM >>>
I have notcie with my snort setup that in the /var/log/snort directory there is a alert.log and snort.log. But they way the documentation tells you to start barnyard it tells you to use the -f option which I use pointing to the snort.log file. See how I start barnyard below. /usr/local/bin/barnyard -D -w barn.waldo -c /etc/snort/barnyard.conf -d /var/log/snort -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -f snort.log So is this my problem that it is only looking at the log and not at the alert.log if so what is the proper way to get it to look at both.
I have just come across some articles stating that if you are
running
snort on your firewall as I am and monitoring the external interface.
It
all is setup correctly but just because of the way PF acts if you
drop it
at the external firewall interface snort never see's the packet can someone confirm this. I have seen a number of articles and email
stating
that snort see's all traffic before it is ever filtered by PF and now
have
come across others that say the exact opposite. Can someone clear this up?RE: [Snort-users] Not Picking up Much WHY "I am pulling out myhair" Snort is running on the firewall itself monitoring the outside
interface
directly connected to the net. This is why I am amazed that it is
not
picking up anything more. I have just checked it again this morning
and
nothing but ICMP. And from everything I have read it says snort
running
on a firewall will see every packet before pf does and before any filtering happens. -----Original Message----- From: Patrick Harper [mailto:lists () internetsecurityguru com] Sent: Sunday, October 12, 2003 9:41 PM To: Elijah Savage Cc: Snort-Users Subject: Re: [Snort-users] Not Picking up Much WHY "I am pulling
out
myhair" do you have any filters set up, if Snort is behind your firewall it
will
only see what makes it thorough On Sun, 2003-10-12 at 17:23, Elijah Savage wrote: I I net tuned traffic doing ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Not Picking up Much WHY "I am pulling outmyhair" Elijah Savage (Oct 13)