Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What are the "other" protocols?

From: Phil Wood <cpw () lanl gov>
Date: Tue, 31 Jul 2001 09:01:26 -0600

On Tue, Jul 31, 2001 at 08:34:27AM -0400, Jones, Benny wrote:

Sending a SIGUSR1 to the snort process causes it to
write some interesting statistics to the system log
file.  Under the "Breakdown by protocol:" column,
I find that about 4% of my traffic falls under "other".

What is this?  Is there a way (using snort) to log or
view it?


One way would be to include a restrictive bpf filter '(tcp or udp or icmp)'
that would cause libpcap to pass tcp or udp or icmp to the alert detector
in snort.  In a separate process you could run tcpdump using a filter
'not (tcp or udp or icmp)'.

Then you would at least know what other protocols were being used on your
network.

There is the "ip" alert/log syntax which I have not used.  Maybe that is
a way to get what you want. Sorry, that's all I got.  Off to a meeting.

Bye



(As an aside, on my Solaris 8 sensor, sending 2 successive
SIGUSR1s to snort will cause the process to abort.)

Thanks in advance.

Benny


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: