Snort mailing list archives

RE: Drop statistics and Cisco Catalyst 6500

From: Rich Adamson <radamson () routers com>
Date: Wed, 27 Mar 2002 17:56:50 -0600

Right, Snort only analyzes IP packets, but it does analyze broadcasts and
multicasts (especially on a LAN), too.  There are at least a few
experimental rules that use a destination of 255.255.255.255 (SNMP).

I included the Cisco drop stat just because it was one of the few populated
stats in the output.

We're still left with the question of why Snort is seeing more packets than
the Cisco.


In most corporate environments, the Cisco packet counts should be greater than
or equal to Snort (due to the "other" protocols that are almost always present). 
Dropped packets can't be compared between the two devices.

If Snorts packet counts are greater than the Cisco, then obviously one of the
two can't count.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)
- Re: Drop statistics and Cisco Catalyst 6500 Rich Adamson (Mar 27)
- <Possible follow-ups>
- RE: Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)
  - RE: Drop statistics and Cisco Catalyst 6500 Rich Adamson (Mar 27)
  - Re: Drop statistics and Cisco Catalyst 6500 Dr. Richard W. Tibbs (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Madziarczyk, Jonathan (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)