Snort mailing list archives
RE: trace files filling with ICMP
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Fri, 28 Dec 2001 12:12:25 -0500
Thanks Phil.....info you requested is below. I am using Snort Version 1.8.1-RELEASE (Build 78) Running Red Hat Linux 7.0 on a Compaq DL360 (x86 architecture) Script I use to start Snort (I use this on all my Snort boxes and it has always worked fine): /usr/local/bin/snort -A fast -c /etc/snort/snort.conf -i eth0 -l /var/log/snort -o -N -b -L traces Problem: Even though I have ICMP.RULES and ICMP-INFO.RULES commented out in snort.conf, my "traces" file fills up with ICMP related info, so much that the traces file is about 700 meg each day. I am using the latest Snort-current rules from Snort.org and have all of the .RULES files enabled except for icmp.rules and icmp-info.rules (I just tried this as a test). Note that even though the traces file fills with ICMP info, the actual alerts file does not have any ICMP related alerts. Example from traces file below. Note this is just part of the packet. For example, this trace for this particular machine to machine communication actually lasts about 10 full screens in the traces file, which is kind of odd because normally traces are 15 lines or so. I have seen no Snort error messages. Anyone have any ideas on this? In the meantime I will upgrade to the latest Snort and Snort rules just to rule out anything there......Thanks. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/27-00:16:16.967053 10.10.10.10 -> 204.71.200.75 ICMP TTL:254 TOS:0x0 ID:30677 IpLen:20 DgmLen:28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Thursday, December 27, 2001 4:15 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: Re: [Snort-users] trace files filling with ICMP Normally, when indicating a version one shows the output of the version switch (there are numerous 1.8's out there, some which can create malformed packets. Your best bet, in getting help from the list is to have first read the BUGS file, and including the appropriate information from there along with the version: # snort -V to assist others in helping you get a grip. Just because it's Christmas week, I'll ask you to fill in the blanks. An asterisk would be relevant in your case, two asterisks, even more so: ** Snort version: * System Architecture (Sparc, x86, etc): ** Operating System and version (Linux 2.0.22, IRIX 5.3, etc): ** What rules (if any) you were using: ** What command line switches you were using: * Any Snort error messages: On Wed, Dec 26, 2001 at 06:13:11PM -0500, Sheahan, Paul (PCLN-NW) wrote:
Hello, I have Snort 1.8 running on Red Hat Linux 7.0. I just downloaded the
latest
Snort rules and also installed the latest snort.conf from the archive. My trace files are huge (700 meg) and looking in them I see a lot of traces like below, though my reports aren't showing any ICMP stuff. For some
reason
the trace feature is gathering all ICMP traffic and it's making the logs unmanagable. Anyone know how to get rid of this? Thanks! =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-00:16:14.370558 10.10.10.10 -> 200.200.200.200 ICMP TTL:254 TOS:0x0 ID:12291 IpLen:20 DgmLen:28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- trace files filling with ICMP Sheahan, Paul (PCLN-NW) (Dec 26)
- Re: trace files filling with ICMP Phil Wood (Dec 27)
- <Possible follow-ups>
- RE: trace files filling with ICMP Sheahan, Paul (PCLN-NW) (Dec 28)
- Re: trace files filling with ICMP Phil Wood (Dec 28)
- RE: trace files filling with ICMP Ofir Arkin (Dec 30)
- Re: trace files filling with ICMP Phil Wood (Dec 28)