Snort mailing list archives

Re: Testing Rule

From: Justin Pederson via Snort-users <snort-users () lists snort org>
Date: Wed, 12 Jul 2017 08:37:31 -0500

I used the PCAP James mentioned and this is what I got. I can not scroll
all the way to the top because of all the Warning: No preprocessors
messages.  Is there a way to prevent these from showing.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WARNING: No preprocessors configured for policy 0.
01/16-20:07:49.738998 64.215.158.34:80 -> 192.168.3.35:1136
TCP TTL:60 TOS:0x0 ID:9017 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x198EEF10  Ack: 0x4179B381  Win: 0x1920  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

===============================================================================
Run time for packet processing was 0.128121 seconds
Snort processed 1632 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
   Pkts/sec:         1632
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       782336
  Bytes in mapped regions (hblkhd):      21590016
  Total allocated space (uordblks):      672208
  Total free space (fordblks):           110128
  Topmost releasable block (keepcost):   39920
===============================================================================
Packet I/O Totals:
   Received:         1632
   Analyzed:         1632 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:         1632 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:         1632 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:         1632 (100.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:         1632
===============================================================================
Snort exiting
[root@localhost ~]#

On Tue, Jul 11, 2017 at 9:18 PM, <wkitty42 () windstream net> wrote:

On 07/11/2017 04:26 PM, Justin Pederson via Snort-users wrote:

James I tried this as well with 2 or 3 pcaps and no alerts happened.



you might want to make sure that you're starting your snort with "-k none"
also...


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Testing Rule tantioification . via Snort-users (Jul 08)
- Re: Testing Rule James Lay (Jul 09)
- <Possible follow-ups>
- Re: Testing Rule tantioification . via Snort-users (Jul 11)
  - Re: Testing Rule James Lay (Jul 11)
    - Re: Testing Rule Justin Pederson via Snort-users (Jul 11)
    - Re: Testing Rule James Lay (Jul 11)
    - Re: Testing Rule wkitty42 (Jul 11)
    - Re: Testing Rule Justin Pederson via Snort-users (Jul 12)
    - Re: Testing Rule Al Lewis (allewi) via Snort-users (Jul 12)
    - Re: Testing Rule Justin Pederson via Snort-users (Jul 12)
    - Re: Testing Rule Al Lewis (allewi) via Snort-users (Jul 12)