Snort mailing list archives
Re: snort at a bakeoff.
From: Chris Green <cmg () uab edu>
Date: Tue, 08 Jan 2002 08:34:41 -0600
n3m3s1s () hushmail com writes:
Hi all, I'm running snort in a bakeoff against some other IDSs, and I'm getting some funny results. To begin with, I'm running in the foreground just to make sure it's seeing the correct traffic (snort -i eth2 -L test.log). I've included only the web rules, and I have about 500 sigs loaded, so it's definitely using the snort.conf that I've created. System and traffic specifics are given below. 1st Problem: While snort is running, I'd been opening another window and doing "snort -r test.log" just to keep an eye on what's going on. When I do this, one of two things happen: 1. Snort segfaults. 2. I get real funky results, like only ICMP Port Unreachable alerts (if any) and a total packet count of 0 -5.
for segfaults, we need a backtrace as explained in BUGS. Not sure why you are getting odd errors Try using a snort commandline like sbin/snort -A fast -b -l ./log -d -i eth1 and see what happens. try snort -dev -i eth2 to see full dumps of the traffic on your eth2 interface to make sure it can see everything The -d is very important to dump the application layer of packets to match against. For very historical reasons, it isn't the default.
It doesn't appear that I should be trying to run 2 instances of snort concurrently?
You don't say what OS you are on ( I don't know what Dragon uses for their appliances ). Most OSes can do this but some can't.>
2nd Problem: If I don't try to run snort a second time and just wait for the test to finish, then Ctrl-C, I get a real high drop rate (around 50-60%), but the packet counts seem reasonable. Alerts, Logged, and Passed all say 0.
Are there any events that should be logged?
If I run tcpdump on the same interface, I see tons of web traffic, and the other IDSs in the bakeoff see it too. I don't have my snort.conf file to show, but for the most part it's pretty vanilla. I changed my home net, and commented out some of the rules (everything except web), but other than that it's stock. I'm a bit at a loss, and any help would be GREATLY appreciated.
We now have your snort.conf, try using one of our command lines and tell us what OS you are on. -- Chris Green <cmg () uab edu> "Yeah, but you're taking the universe out of context." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort at a bakeoff. n3m3s1s (Jan 06)
- Re: snort at a bakeoff. Kris Kennaway (Jan 06)
- Re: snort at a bakeoff. Martin Roesch (Jan 06)
- Re: snort at a bakeoff. Chris Green (Jan 08)
- Re: snort at a bakeoff. Chris Green (Jan 08)
- <Possible follow-ups>
- Re: Re: snort at a bakeoff. n3m3s1s (Jan 06)
- Re: Re: snort at a bakeoff. n3m3s1s (Jan 08)
- Re: Re: snort at a bakeoff. n3m3s1s (Jan 11)
- Re: snort at a bakeoff. Kris Kennaway (Jan 06)