Snort mailing list archives
I'm sure you've seen this before..
From: Lea H via Snort-users <snort-users () lists snort org>
Date: Tue, 1 Oct 2019 23:43:29 +0000
,,_ -*> Snort! <*- o" )~ Version 2.9.14.1 GRE (Build 15003) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3) Using PCRE version: 8.21 2011-12-12 Using ZLIB version: 1.2.8 Error Message I am receiving is below. I am receiving about 100k logs every 5 minutes. WARNING: IP dgm len > captured len Steps I have taken to remediate the issue: Commented out the decoder rule in "gen-msg.map" file Added: "-P 65535" "-k none" "--daq-var buffer_size_mb=1024" to the Snort command during boot in rc.local. Here is my command: snort -A fast -P 65535 -k none -b -d -D -v -i vxlan0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/ --daq-var buffer_size_mb=1024 & The current architecture is a mirrored session from AWS which is a new feature. It encapsulates the traffic, hence the vxlan port. I have configured the interface on the Snort server to decapsulate the traffic. Here is that config: ( I previously ran Suricata and have verified that the port is decapsulating the traffic) ip link add vxlan0 type vxlan id 1 dev eth1 dstport 4789 ip link set up dev vxlan0 For more context, I am wanting to run Snort in NIDS(passive) mode so it inspects the traffic and alerts on matching signatures. I would also like to add raw packet data to the alert log. So far the only alerts I have seen are: 1:30524:3 - OpenSSL read overrun attempt. When Snort runs, I see that 12033 Snort rules read and it passes the Snort test. With how many errors I am receiving I think it is having a huge impact on Snorts ability to perform. Any help would be appreciated, at this point I am spinning donuts in the mud. Thanks
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- I'm sure you've seen this before.. Lea H via Snort-users (Oct 03)
- Re: I'm sure you've seen this before.. Dorian ROSSE via Snort-users (Oct 04)