Snort mailing list archives
Re: Very Limited Logging
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 26 Sep 2012 16:05:00 -0400
That signature is looking for UDP traffic, and small packets at that. I'm betting you are running into a checksum problem. Stop Snort, add "-k none" to the command line, and see if it picks up more. Also, Snort needs to be listening to a span port or something on a switch, not just watching the port you are plugged into on the switch. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Sep 26, 2012, at 2:55 PM, Brian Swan <steelysama () gmail com> wrote:
Hi all, I am having a strange problem with Snort. I recently installed it along with Barnyard2 on a CentOS 6.3 64-bit machine. They both seemingly run fine, but it looks like Snort is not committing very much at all to the log files. All of the log files (I am using the unified2 type) are very small, some of them empty, and Barnyard is registering only a single signature repeatedly and at sparse intervals: 09/26-07:34:15.475267 [**] [1:23493:1] BOTNET-CNC Trojan.ZeroAccess outbound communication [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 77.8.197.82:57155 -> ***edited out*** The target IP is not from my machine, it is just on the same subnet. I have tried adjusting all kinds of settings and nothing seems to make a difference. The logging remains extremely sparse and seems confined to only this one signature. Snort v. 2.9.3.1 Barnyard2 v. 2.1.9 I will post output that might help. Thank you, Steely ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Very Limited Logging Brian Swan (Sep 26)
- Re: Very Limited Logging Joel Esler (Sep 26)