Snort mailing list archives
Re: Snort-users Digest, Vol 33, Issue 10
From: Todd Wease <twease () sourcefire com>
Date: Thu, 12 Feb 2009 17:32:05 -0500
I'd run Wireshark and take a look at the traffic to try and find out where all of the traffic with the bad checksums is coming from. Jimmy Tharel wrote:
The checksums is definitely the problem Adding the -k none allows me to see what I expect and all my rules seem to be alerting now. However, I'm not sending any traffic from my snort box. How can I troubleshoot this further? Any idea? By the way...very good catch! I'm glad I included the Snort output! ------------------------------------------------------------------------ *From:* "snort-users-request () lists sourceforge net" <snort-users-request () lists sourceforge net> *To:* snort-users () lists sourceforge net *Sent:* Thursday, February 12, 2009 10:27:18 AM *Subject:* Snort-users Digest, Vol 33, Issue 10 Send Snort-users mailing list submissions to snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net <mailto:snort-users-request () lists sourceforge net> You can reach the person managing the list at snort-users-owner () lists sourceforge net <mailto:snort-users-owner () lists sourceforge net> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Snort not seeing all traffic (Joel Esler) 2. Re: Snort not seeing all traffic (Todd Wease) 3. Re: Snort not seeing all traffic (Jack Pepper) ---------------------------------------------------------------------- Message: 1 Date: Thu, 12 Feb 2009 12:21:02 -0500 From: Joel Esler <eslerj () gmail com <mailto:eslerj () gmail com>> Subject: Re: [Snort-users] Snort not seeing all traffic To: Jimmy Tharel <jtharel () yahoo com <mailto:jtharel () yahoo com>> Cc: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Message-ID: <8c643a500902120921v89bfcfeq86547bf24d0f6deb () mail gmail com <mailto:8c643a500902120921v89bfcfeq86547bf24d0f6deb () mail gmail com>> Content-Type: text/plain; charset=ISO-8859-1 Jimmy, it's hard for us to troubleshoot was is going on if Snort, did indeed drop packets. We can't rule out with 100% certainty that Snort isn't seeing the traffic, if in fact, it's dropping packets. Can you capture a pcap of the traffic, run Snort against the pcap? That way we can rule out dropped packets? Joel It's obviously seeing the traffic, as you are getting alerts. On Thu, Feb 12, 2009 at 11:54 AM, Jimmy Tharel <jtharel () yahoo com <mailto:jtharel () yahoo com>> wrote:Initially I thought I had a problem with a rule that I wrote but itappearsSnort isn't seeing all of the data coming over the wire. I wrote asimplerule: alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule"; classtype:attempted-dos; sid:2000000; rev:1;) I sent 50 packets across the wire and Snort only picked up 10 ofthem andalerted. I had tcpdump running at the same time and it picked up all of them. I'm currently running 2.8.3.2. It doesn't look like I'm droppingpackets(especially since tcpdump sees the traffic, and the snort outputshows verylittle packet loss), my cpu and memory are not be taxed at all.Currently Ionly have the one rule enable plus the preprocessors. Does anybody have any idea what could be happening? If you need anymoreinfo I will be happy to share it. Below are my snort.conf and the output of Snort running for a briefperiodof time when the 50 packets where sent. Here is my snort.conf: var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS [10.196.4.1,10.196.4.2] var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS[10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]var RULE_PATH /etc/snort/rules var PREPROC_RULE_PATH /etc/snort/preproc_rules config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 \ no_alerts preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow preprocessor ssl: noinspect_encrypted output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 include classification.config include reference.config include $RULE_PATH/local.rules include threshold.conf Here is the output of Snort: un time prior to being shutdown was 28.595880 seconds===============================================================================Packet Wire Totals: Received: 908053 Analyzed: 907663 (99.957%) Dropped: 380 (0.042%) Outstanding: 10 (0.001%)===============================================================================Breakdown by protocol (includes rebuilt packets): ETH: 909784 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 907996 (99.803%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 901746 (99.116%) UDP: 3110 (0.342%) ICMP: 1007 (0.111%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 506 (0.056%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 1294 (0.142%) DISCARD: 0 (0.000%) InvChkSum: 627722 (68.997%) S5 G 1: 0 (0.000%) S5 G 2: 2121 (0.233%) Total: 909784===============================================================================Action Stats: ALERTS: 10 LOGGED: 10 PASSED: 0===============================================================================Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0===============================================================================Stream5 statistics: Total sessions: 15463 TCP sessions: 15463 UDP sessions: 0 ICMP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 15463 TCP StreamTrackers Deleted: 15463 TCP Timeouts: 0 TCP Overlaps: 1 TCP Segments Queued: 8631 TCP Segments Released: 8631 TCP Rebuilt Packets: 4075 TCP Segments Used: 4260 TCP Discards: 19042 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0===============================================================================HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 1042 GET methods: 1305 Headers extracted: 2342 Header Cookies extracted: 821 Post parameters extracted: 15 Unicode: 0 Double unicode: 0 Non-ASCII representable: 171 Base 36: 0 Directory traversals: 0 Extra slashes ("//"): 26 Self-referencing paths ("./"): 0 Total packets processed: 218047===============================================================================SSL Preprocessor: SSL packets decoded: 1523 Client Hello: 12 Server Hello: 24 Certificate: 1 Server Done: 85 Client Key Exchange: 6 Server Key Exchange: 0 Change Cipher: 108 Finished: 0 Client Application: 30 Server Application: 273 Alert: 9 Unrecognized records: 1169 Completed handshakes: 2 Bad handshakes: 0 Sessions ignored: 5 Detection disabled: 0===============================================================================Snort exiting-- Joel Esler http://www.joelesler.net ------------------------------ Message: 2 Date: Thu, 12 Feb 2009 12:25:29 -0500 From: Todd Wease <twease () sourcefire com <mailto:twease () sourcefire com>> Subject: Re: [Snort-users] Snort not seeing all traffic To: Jimmy Tharel <jtharel () yahoo com <mailto:jtharel () yahoo com>> Cc: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Message-ID: <49945B89.5040406 () sourcefire com <mailto:49945B89.5040406 () sourcefire com>> Content-Type: text/plain; charset=ISO-8859-1 Hi Jimmy, Looks like you might be sending traffic from the same box as Snort is running on and TCP checksum offloading is occurring. I noticed this from the stats: InvChkSum: 627722 (68.997%) That's alot of invalid checksums. Try adding "-k none" to your command line while testing. This will disable Snort checking checksums. Todd Jimmy Tharel wrote:Initially I thought I had a problem with a rule that I wrote but it appears Snort isn't seeing all of the data coming over the wire. I wrote a simple rule: alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule"; classtype:attempted-dos; sid:2000000; rev:1;) I sent 50 packets across the wire and Snort only picked up 10 of them and alerted. I had tcpdump running at the same time and it picked up all of them. I'm currently running 2.8.3.2. It doesn't look like I'm dropping packets (especially since tcpdump sees the traffic, and the snort output shows very little packet loss), my cpu and memory are not be taxed at all. Currently I only have the one rule enable plus the preprocessors. Does anybody have any idea what could be happening? If you need any more info I will be happy to share it. Below are my snort.conf and the output of Snort running for a brief period of time when the 50 packets where sent. Here is my snort.conf: var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS [10.196.4.1,10.196.4.2] var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS[10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]var RULE_PATH /etc/snort/rules var PREPROC_RULE_PATH /etc/snort/preproc_rules config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 \ no_alerts preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow preprocessor ssl: noinspect_encrypted output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 include classification.config include reference.config include $RULE_PATH/local.rules include threshold.conf Here is the output of Snort: un time prior to being shutdown was 28.595880 seconds===============================================================================Packet Wire Totals: Received: 908053 Analyzed: 907663 (99.957%) Dropped: 380 (0.042%) Outstanding: 10 (0.001%)===============================================================================Breakdown by protocol (includes rebuilt packets): ETH: 909784 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 907996 (99.803%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 901746 (99.116%) UDP: 3110 (0.342%) ICMP: 1007 (0.111%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 506 (0.056%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 1294 (0.142%) DISCARD: 0 (0.000%) InvChkSum: 627722 (68.997%) S5 G 1: 0 (0.000%) S5 G 2: 2121 (0.233%) Total: 909784===============================================================================Action Stats: ALERTS: 10 LOGGED: 10 PASSED: 0===============================================================================Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0===============================================================================Stream5 statistics: Total sessions: 15463 TCP sessions: 15463 UDP sessions: 0 ICMP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 15463 TCP StreamTrackers Deleted: 15463 TCP Timeouts: 0 TCP Overlaps: 1 TCP Segments Queued: 8631 TCP Segments Released: 8631 TCP Rebuilt Packets: 4075 TCP Segments Used: 4260 TCP Discards: 19042 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0===============================================================================HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 1042 GET methods: 1305 Headers extracted: 2342 Header Cookies extracted: 821 Post parameters extracted: 15 Unicode: 0 Double unicode: 0 Non-ASCII representable: 171 Base 36: 0 Directory traversals: 0 Extra slashes ("//"): 26 Self-referencing paths ("./"): 0 Total packets processed: 218047===============================================================================SSL Preprocessor: SSL packets decoded: 1523 Client Hello: 12 Server Hello: 24 Certificate: 1 Server Done: 85 Client Key Exchange: 6 Server Key Exchange: 0 Change Cipher: 108 Finished: 0 Client Application: 30 Server Application: 273 Alert: 9 Unrecognized records: 1169 Completed handshakes: 2 Bad handshakes: 0 Sessions ignored: 5 Detection disabled: 0===============================================================================Snort exiting ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------ Message: 3 Date: Thu, 12 Feb 2009 11:27:11 -0600 From: Jack Pepper <pepperjack () afferentsecurity com <mailto:pepperjack () afferentsecurity com>> Subject: Re: [Snort-users] Snort not seeing all traffic To: Jimmy Tharel <jtharel () yahoo com <mailto:jtharel () yahoo com>> Cc: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Message-ID: <20090212112711.4p7oftafvo4csoo4 () mail afferentsecurity com <mailto:20090212112711.4p7oftafvo4csoo4 () mail afferentsecurity com>> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Looks like you're dropping packets. funny thing about dropping packets: there's no way to know which packets were dropped. Your sample looked at about a million packets in less than 30 seconds. jp Quoting Jimmy Tharel <jtharel () yahoo com <mailto:jtharel () yahoo com>>:Initially I thought I had a problem with a rule that I wrote but it appears Snort isn't seeing all of the data coming over the wire. I wrote a simple rule: alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule"; classtype:attempted-dos; sid:2000000; rev:1;) I sent 50 packets across the wire and Snort only picked up 10 of them and alerted. I had tcpdump running at the same time and it picked up all of them. I'm currently running 2.8.3.2. It doesn't look like I'm dropping packets (especially since tcpdump sees the traffic, and the snort output shows very little packet loss), my cpu and memory are not be taxed at all. Currently I only have the one rule enable plus the preprocessors. Does anybody have any idea what could be happening? If you need any more info I will be happy to share it. Below are my snort.conf and the output of Snort running for a brief period of time when the 50 packets where sent. Here is my snort.conf: var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS [10.196.4.1,10.196.4.2] var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS[10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]var RULE_PATH /etc/snort/rules var PREPROC_RULE_PATH /etc/snort/preproc_rules config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 \ no_alerts preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow preprocessor ssl: noinspect_encrypted output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 include classification.config include reference.config include $RULE_PATH/local.rules include threshold.conf Here is the output of Snort: un time prior to being shutdown was 28.595880 seconds===============================================================================Packet Wire Totals: Received: 908053 Analyzed: 907663 (99.957%) Dropped: 380 (0.042%) Outstanding: 10 (0.001%)===============================================================================Breakdown by protocol (includes rebuilt packets): ETH: 909784 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 907996 (99.803%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 901746 (99.116%) UDP: 3110 (0.342%) ICMP: 1007 (0.111%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 506 (0.056%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 1294 (0.142%) DISCARD: 0 (0.000%) InvChkSum: 627722 (68.997%) S5 G 1: 0 (0.000%) S5 G 2: 2121 (0.233%) Total: 909784===============================================================================Action Stats: ALERTS: 10 LOGGED: 10 PASSED: 0===============================================================================Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0===============================================================================Stream5 statistics: Total sessions: 15463 TCP sessions: 15463 UDP sessions: 0 ICMP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 15463 TCP StreamTrackers Deleted: 15463 TCP Timeouts: 0 TCP Overlaps: 1 TCP Segments Queued: 8631 TCP Segments Released: 8631 TCP Rebuilt Packets: 4075 TCP Segments Used: 4260 TCP Discards: 19042 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0===============================================================================HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 1042 GET methods: 1305 Headers extracted: 2342 Header Cookies extracted: 821 Post parameters extracted: 15 Unicode: 0 Double unicode: 0 Non-ASCII representable: 171 Base 36: 0 Directory traversals: 0 Extra slashes ("//"): 26 Self-referencing paths ("./"): 0 Total packets processed: 218047===============================================================================SSL Preprocessor: SSL packets decoded: 1523 Client Hello: 12 Server Hello: 24 Certificate: 1 Server Done: 85 Client Key Exchange: 6 Server Key Exchange: 0 Change Cipher: 108 Finished: 0 Client Application: 30 Server Application: 273 Alert: 9 Unrecognized records: 1169 Completed handshakes: 2 Bad handshakes: 0 Sessions ignored: 5 Detection disabled: 0===============================================================================Snort exiting-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------ ------------------------------------------------------------------------------ ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 33, Issue 10 ******************************************* ------------------------------------------------------------------------ ------------------------------------------------------------------------------ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users Digest, Vol 33, Issue 10 Jimmy Tharel (Feb 12)
- Re: Snort-users Digest, Vol 33, Issue 10 Todd Wease (Feb 12)