Snort mailing list archives
Re: Snort only partially alerting
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 18 Jun 2013 16:13:15 -0600
On 2013-06-18 15:14, Frank Calone wrote:
I still dont have a fix yet to the problem of Snort only alerting occasionally. I have it setup to look for exe downloads using just 2 rules. I have a web site setup to download (not https) an exe file. I decided to run snort in full packet logger mode to see what was coming in (/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h x.x.x.x/16). I immediately started getting the following warning messages: (snort_decoder) WARNING: IP dgm len > captured len I then ran the binary capture thru the snort playback (-dvr option). Looking at the packets tied to my PC, I can see that almost all of them have a datagram length of 40. Very few packets showed up with a real payload, certainly not enough to amount to the size of the file I downloaded during the testing. Im not sure if there is a config setting or something else going wrong here such that very few packets have any real data. Here is a sample of what I am seeing: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/18-16:20:19.229724 15.0.0.18:62287 [1] -> 212.13.197.229:80 [2] TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x3279955A Ack: 0xEF27E0F7 Win: 0x4029 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Frank
Frank, Try capturing with tshark or tcpdump (use -s 0 for tcpdump to capture the full packet. Then, after capturing, run it through snort with something like: sudo snort -c snort.conf -r bleh.pcap -k none James ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort only partially alerting Frank Calone (Jun 18)
- Re: Snort only partially alerting James Lay (Jun 18)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Snort only partially alerting Frank Calone (Jun 26)
- Re: Snort only partially alerting waldo kitty (Jun 26)
- Message not available
- Re: Snort only partially alerting James Lay (Jun 18)
- <Possible follow-ups>
- Snort only partially alerting Frank Calone (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Frank Calone (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)