Snort mailing list archives

RE: snort with 2 nics - collecting only UDP data

From: "Tinu Patel" <tinu.patel () insignis com>
Date: Tue, 27 Nov 2001 14:19:12 -0600

Thanks....hopefully this will help me out.....but the thing that is
confusing me is that why would it still work fine with the external
interface, but not the internal interface connected to the LAN?  The
configuration is exactly the same, only the ip addresses are different!
 
Tinu
 
-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: Tuesday, November 27, 2001 2:15 PM
To: Tinu Patel
Subject: RE: [Snort-users] snort with 2 nics - collecting only UDP data
 
Check your snort.conf file:

look for these lines in the first half of the file (each has large
comment blocks following it describing what they do)

preprocessor stream4: detect_scans

preprocessor stream4_reassemble

preprocessor http_decode: 80 -unicode -cginull


Disable them by adding a # to the beginning of the line

At 03:07 PM 11/27/2001, you wrote:



What is spp_stream4 and http_decode?  How do I disable them?

 

-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: Tuesday, November 27, 2001 1:54 PM
To: Tinu Patel
Subject: RE: [Snort-users] snort with 2 nics - collecting only UDP data

 

Do you have spp_stream4 on? this does some stateful inspection and
filters a lot of harmless garbage out, but it also means that unless the
packets you are observing wind up with established connections they may
not be processed by your log rule.

If your desire is to log everything I'd disable all the spp_stream*
preprocessors and the http_decode one. I'd also consider disabling the
fragmentation processors.

        Those suggestions aside, I'd try getting the system working with
snorts default logging first, then switch to acid/mysql. This will take
mysql and acid setup problems out of the possible sources of your
problem. 

        Once it works with the default logging, if it stops working when
you enable acid, it's likely an acid/mysql setup problem. Unfortunately
I can't help you with those problems, I use the default logging and
snortsnarf.

At 02:34 PM 11/27/2001, you wrote:


Thanks a lot for the feedback&&.i removed the extra any from the
snort.conf file&&and I am using log because I am entering data into a
mysql database and using ACID as a front end.  In my snort.conf file if
I do :

Current thread:

snort with 2 nics - collecting only UDP data Tinu Patel (Nov 27)
- <Possible follow-ups>
- RE: snort with 2 nics - collecting only UDP data Tinu Patel (Nov 27)
- RE: snort with 2 nics - collecting only UDP data Tinu Patel (Nov 27)
  - RE: snort with 2 nics - collecting only UDP data Erek Adams (Nov 27)
- RE: snort with 2 nics - collecting only UDP data Tinu Patel (Nov 27)
  - RE: snort with 2 nics - collecting only UDP data Erek Adams (Nov 27)