Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort is not seeing all traffic...

From: PJ-ML <p.jones.ml () xsb com>
Date: Thu, 08 May 2003 21:42:44 -0400
Thanks, VERY effective. I saw all the packets to the specific host...10167 packets received by filter, 2037 packets dropped by kernel. So it is seeing traffic to those "servers" that I thought it could not see before.
With that said, I am thinking that either my IDS is too weak of a machine and it is dropping packets (at the wrong time) because it can not handle the load OR I have my snort configured incorrectly (which would not surprise me). I had someone use "Retina" to scan the host...from port scan to http attacks and I saw those packets scrolling in my term as well as when I was just using CIS-5.0.02 on those same hosts. Not sure what I am doing incorrectly. 

~PJ




At 11:23 PM 5/7/2003 -0400, PJ-ML wrote:
The ethernet link to hub and to other parts of the network are all 100. Could it be the speed of the server? I am lost in fog. Not sure where to go, I know that I must tune the server...but I do not know what to tune if it is not seeing even purposeful exploits...I will be more than happy to give any more info that anyone requires to help me figure this out except for the root password to my machine ;-)
I'd first see if your snort box even has the packets sent to it, using the all-seeing tcpdump tool.
run tcpdump -n -i (whatever interface) host (target of attack) and then re-run the attack.. does tcpdump spit out packets? 

As an example:

snortbox # tcpdump -n -i eth0 host 10.1.1.1

testbox # attack 10.1.1.1
snortbox should have packets from the attack dump to the screen. Note that the only reason I added -n to the tcpdump commandline is to prevent tcpdump from spending a long time trying to do reverse DNS lookups. If there's no DNS available tcpdump can hold off printing packets to the screen for a shockingly long time. 






-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: