Snort mailing list archives
Question concerning packet statistics...
From: Bob Hillegas <bobhillegas () pdq net>
Date: Thu, 23 Aug 2001 23:20:16 -0500 (CDT)
I generated these statistics by issuing two commands. 1) /usr/loval/bin/snort -b -A fast -i ppp0 -u snort -g snort -z est -c /etc/snort/snort.conf 2) After terminating snort, I issued: /usr/local/bin/snort -dev -r /var/log/snort/snort-0823 () 2236 log During the twelve minutes of operation I retrieved mail form ISP using fetchmail (pop3, port 110), ipchains DENY'd 3 accesses to port 80 and logged it to syslog. The file had zero bytes in it until the interface went down and the script terminated snort. Then these statistics appeared. Q1) Why is nothing logged? Q2) What does "There's no second layer header available for this datalink" mean? Q3) I understand that issuing -b and/or -A in the command line overrides entries in the config file. Exactly which config command is overridden by each? At end is extract of snort.conf. Thanks, BobH ---- snort -r ----- Log directory = --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "snort-0823 () 2236 log" file. snaplen = 1514 There's no second layer header available for this datalink --== Initialization Complete ==-- =============================================================================== Snort processed 0 packets. Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 0 =============================================================================== --- cat /etc/snort/snort.conf | grep -v ^# | grep ^$ ---- var HOME_NET $ppp0_ADDRESS var EXTERNAL_NET !$HOME_NET var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, dbname=snort user=snort password=mysql host=localhost include classification.config include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include sql.rules include x11.rules include icmp.rules include shellcode.rules include misc.rules include policy.rules include info.rules include icmp-info.rules include virus.rules include local.rules ---- snip ---- -- ------------------------------------------------- Bob Hillegas <bobhillegas () pdq net> 281.546.9311 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question concerning packet statistics... Bob Hillegas (Aug 23)