Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Very Limited Logging

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 26 Sep 2012 16:05:00 -0400
That signature is looking for UDP traffic, and small packets at that.

I'm betting you are running into a checksum problem.  Stop Snort, add "-k none" to the command line, and see if it 
picks up more.

Also, Snort needs to be listening to a span port or something on a switch, not just watching the port you are plugged 
into on the switch.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



On Sep 26, 2012, at 2:55 PM, Brian Swan <steelysama () gmail com> wrote:


Hi all,
   I am having a strange problem with Snort. I recently installed it along with Barnyard2 on a CentOS 6.3 64-bit 
machine. They both seemingly run fine, but it looks like Snort is not committing very much at all to the log files. 
All of the log files (I am using the unified2 type) are very small, some of them empty, and Barnyard is registering 
only a single signature repeatedly and at sparse intervals:

09/26-07:34:15.475267  [**] [1:23493:1] BOTNET-CNC Trojan.ZeroAccess outbound communication  [**] [Classification: A 
Network Trojan was Detected] [Priority: 1] {UDP} 77.8.197.82:57155 -> ***edited out***

The target IP is not from my machine, it is just on the same subnet.

I have tried adjusting all kinds of settings and nothing seems to make a difference. The logging remains extremely 
sparse and seems confined to only this one signature.

Snort v. 2.9.3.1
Barnyard2 v. 2.1.9

I will post output that might help.

Thank you,
   Steely
------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: