Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Question concerning packet statistics...

From: Bob Hillegas <bobhillegas () pdq net>
Date: Thu, 23 Aug 2001 23:20:16 -0500 (CDT)
I generated these statistics by issuing two commands.

1) /usr/loval/bin/snort -b -A fast -i ppp0 -u snort -g snort -z est -c
/etc/snort/snort.conf

2) After terminating snort, I issued:
/usr/local/bin/snort -dev -r /var/log/snort/snort-0823 () 2236 log

During the twelve minutes of operation I retrieved mail form ISP using
fetchmail (pop3, port 110), ipchains DENY'd 3 accesses to port 80 and
logged it to syslog. The file had zero bytes in it until the interface
went down and the script terminated snort. Then these statistics appeared.

Q1) Why is nothing logged?

Q2) What does "There's no second layer header available for this datalink"
mean?

Q3) I understand that issuing -b and/or -A in the command line overrides
entries in the config file. Exactly which config command is overridden by
each?

At end is extract of snort.conf.

Thanks, BobH


---- snort -r -----
Log directory =

        --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "snort-0823 () 2236 log" file.
snaplen = 1514
There's no second layer header available for this datalink

        --== Initialization Complete ==--


===============================================================================

Snort processed 0 packets.
Breakdown by protocol:                Action Stats:

    TCP: 0          (0.000%)          ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
===============================================================================

TCP Stream Reassembly Stats:
   TCP Packets Used:      0          (0.000%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 0
===============================================================================

--- cat /etc/snort/snort.conf | grep -v ^# | grep ^$ ----
var HOME_NET $ppp0_ADDRESS
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET

var DNS_SERVERS $HOME_NET
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, dbname=snort user=snort password=mysql host=localhost
include classification.config
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include shellcode.rules
include misc.rules
include policy.rules
include info.rules
include icmp-info.rules
include virus.rules
include local.rules
---- snip ----


-- 
-------------------------------------------------
Bob Hillegas
<bobhillegas () pdq net>
281.546.9311




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: