RE: [SPAM] - Snort not logging all packets - Email found in subject

[sEc nErD <umkcguy1978 () yahoo com>]

here's the cpu info
 
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.00GHz
stepping        : 1
cpu MHz         : 2996.236
cache size      : 1024 KB
physical id     : 0
siblings        : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse 
sse2 ss ht tm pbe pni monitor ds_cpl cid
bogomips        : 5931.00
processor       : 1
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.00GHz
stepping        : 1
cpu MHz         : 2996.236
cache size      : 1024 KB
physical id     : 0
siblings        : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse 
sse2 ss ht tm pbe pni monitor ds_cpl cid
bogomips        : 5980.16


Marc Hering <mhering () reval com> wrote:
Logging in /var/log/messages????  YOu may not want to do that. I log in /var/log/sensorname/snort/    Also is your NIC 
card working ok?   and what machine specs?
 


---------------------------------
From: sEc nErD [mailto:umkcguy1978 () yahoo com] 
Sent: Monday, March 07, 2005 3:02 PM
To: Marc Hering; snort-users () lists sourceforge net
Subject: RE: [SPAM] - [Snort-users] Snort not logging all packets - Email found in subject



I am logging snort in the /var/log/messages and also on a remote security information management system like 
netforensics.
I can see some http insepct preprocessor messages but i know its missing out on a lot of them.
below si the tcpdump output.
 
 
this is what i see when i do tcpdump
 
#tcpdump -i eth1

tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:08:26.965161 IP 12.40.44.251 > 69.151.58.226: ESP(spi=0x96ebf27b,seq=0x503)
1 packets captured
670 packets received by filter
622 packets dropped by kernel

Marc Hering <mhering () reval com> wrote:
Are you logging into the console? Or via an SSH session?


---------------------------------
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of sEc 
nErD
Sent: Monday, March 07, 2005 2:41 PM
To: snort-users () lists sourceforge net
Subject: [SPAM] - [Snort-users] Snort not logging all packets - Email found in subject




Hi all,
 
I am runnning snort on a fedora box and i started with a doubt that it is not logging all the packets.
I checked it with tcp dump and when i stop tcpdump i see 90% of the packets being dropped by the kernel.
When i see /var/log/messages 
i see the below error for both sniffing interfaces
 
OpenPcap() device eth0 network lookup:  ^Ieth0: no IPv4 address assigned
 
I checked the version of libpcap running it is
 " libpcap-0.8.3-3 "
Output of # uname -a  

Linux localhost.localdomain 2.6.5-1.358smp #1 SMP Sat May 8 09:25:36 EDT 2004 i686 i686 i386 GNU/Linux
 
If anybody could help me on this i would really appreciate it.
thanks all,
kaps



 

---------------------------------
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com