Snort mailing list archives
Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss)
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 2 Aug 2001 15:03:44 +1200
On Wed, Aug 01, 2001 at 07:18:43PM -0700, Dragos Ruiu wrote:
Quick Isolation Q? Is everyone who is seeing this running under Linux?
Yeah. In case it will help, I just SIGUSR1'ed my running snort. Here's the results (it's only been running since yesterday morning - I upgraded it before the supposed Code Red onslaught) =============================================================================== Snort analyzed 14083760 out of 14083760 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 5455743 (38.738%) ALERTS: 61 UDP: 142600 (1.013%) LOGGED: 61 ICMP: 182873 (1.298%) PASSED: 419651 ARP: 4252 (0.030%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 8293208 (58.885%) DISCARD: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 20200 (0.143%) Rebuilt IP Packets: 5016 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 68 ===============================================================================
--dr On Wed, 01 Aug 2001, Jason Haar wrote:Can someone check this out? I've had snort running fine under Linux-2.4.x for some time now, but now I'm running 1.8.1-beta5 I'm seeing the same thing. Knowing CodeRed was out there, I checked my snort logs this morning to find that our Apache (:-) server had received ONE CodeRed hit. That didn't seem right so I checked it's logs. SIX hits. As with Matthew, snort detected the first one, and missed the next five... Sounds too much of a coincidence, anyone else see this? More info. Snort detected and reported other scans between the first and second CodeRed hits, so it was picking other things up... Snort-1.8.1-beta5, with http://snort.sourceforge.net/snortrules.tar.gz rules downloaded yesterday (yup, 20+ hours before CodeRed hit). Could the rules themselves be at fault? preprocessor stream4: detect_scans, keepstats, timeout 30, memcap 8388608 preprocessor stream4_reassemble: both, ports 21 23 25 53 80 3128 143 110 111 513 preprocessor unidecode: 80 3128 -unicode -cginull preprocessor frag2 On Wed, Aug 01, 2001 at 12:05:20PM -0500, Chris Green wrote:"Matthew Collins" <Matthew.Collins () northernregistrars co uk> writes:I've got snort 1.7 running on a Linux 2.2.19 (Debian) system. The code red worm is starting to get going now, and I've noticed an oddity. I've got one alert for .ida attempt in my snort log-- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linux and packet loss Matthew Collins (Aug 01)
- Re: Linux and packet loss Chris Green (Aug 01)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Dragos Ruiu (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Steve Williams (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Jason Haar (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Linux and packet loss Chris Green (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- <Possible follow-ups>
- Re: Linux and packet loss Matthew Collins (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)