Re: Snort only partially alerting

[Joel Esler <jesler () sourcefire com>]

On Jun 21, 2013, at 4:08 PM, Frank Calone <fc10011001 () gmail com> wrote:

>    I have already tried running Snort using the "-k none" option as was recommended earlier this week.  I still got 
> no alerts.  I tried testing an exe download and had snort in full packet capture mode.  I looked at the packets after 
> doing a -dvr just for my PC and there simply is little there that looks at all like what the TCPDUMP process captured 
> (virtually no payloads like you see in the pcap file).  would the Checksum problem explain all the discards you 
> noted?  The "bad chk sum" from the statistics showed just 326 events for .025%.  That number to me looks very small 
> then as it is not even 1%.  If you want me to rerun with -k none option again, I will do that.  Should I do any kind 
> of other logging at the same time or use other options to help diagnose?

Turn off all rules except the file-identify category, run with the configuration file that I pointed to in my previous 
email.  Add `-k none`.  

Run with -b in the command line (to output to pcap file), see what you get from there.

Sounds like something isn't right somewhere.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!