Snort mailing list archives

Previous By Date Next
Previous By Thread Next

behavior file vs. device capturing

From: Felix Erlacher <felix.erlacher () uibk ac at>
Date: Mon, 27 Nov 2017 17:58:07 +0100
Dear all,

while I was trying to further investigate an alert, I stumbled upon a
strange behavior that I was able to reproduce the following way:
If I send an HTTP request to a local HTTP server and have snort listen
on the NIC, everything behaves as I would expect it to do.
Now if I make snort read the pcapng file that I captured (with
wireshark) during this attempt the TCP stream preprocessor behaves
differently, triggering 3 timeouts and discarding one packet (which
finally leads to snort not triggering the alert contained in the HTTP
request).

What makes snort behave differently when configured to read from file
compared to the configuration when reading from a NIC interface?

Below you find the stream statistics for both runs.
I use snort 2.9.11 with daq 2.0.6 compiled from source on Debian 8
(kernel 3.16). The snort.conf is the original one from the tarball.

-----------------------------
sudo snort -c /etc/snort.conf -k none -i wlan0:
-----------------------------
Stream statistics:
            Total sessions: 1
              TCP sessions: 1
TCP StreamTrackers Created: 1
TCP StreamTrackers Deleted: 1
              TCP Timeouts: 0
       TCP Segments Queued: 2
     TCP Segments Released: 2
       TCP Rebuilt Packets: 2
         TCP Segments Used: 2
              TCP Discards: 0
           TCP Port Filter
                   Tracked: 10

-----------------------------
sudo snort -c /etc/snort.conf -k none -r ~/justCaptured.pcapng:
-----------------------------
Stream statistics:
            Total sessions: 1
              TCP sessions: 1

TCP StreamTrackers Created: 2
TCP StreamTrackers Deleted: 2
              TCP Timeouts: 3
       TCP Segments Queued: 0
     TCP Segments Released: 0
       TCP Rebuilt Packets: 0
         TCP Segments Used: 0
              TCP Discards: 1
           TCP Port Filter
                   Tracked: 10

Thanks and regards

Felix
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: