Snort mailing list archives
Re: Snort is not seeing all traffic...
From: PJ-ML <p.jones.ml () xsb com>
Date: Thu, 08 May 2003 21:42:44 -0400
Thanks, VERY effective. I saw all the packets to the specific host...10167 packets received by filter, 2037 packets dropped by kernel. So it is seeing traffic to those "servers" that I thought it could not see before.
With that said, I am thinking that either my IDS is too weak of a machine and it is dropping packets (at the wrong time) because it can not handle the load OR I have my snort configured incorrectly (which would not surprise me). I had someone use "Retina" to scan the host...from port scan to http attacks and I saw those packets scrolling in my term as well as when I was just using CIS-5.0.02 on those same hosts. Not sure what I am doing incorrectly.
~PJ
At 11:23 PM 5/7/2003 -0400, PJ-ML wrote:The ethernet link to hub and to other parts of the network are all 100. Could it be the speed of the server? I am lost in fog. Not sure where to go, I know that I must tune the server...but I do not know what to tune if it is not seeing even purposeful exploits...I will be more than happy to give any more info that anyone requires to help me figure this out except for the root password to my machine ;-)I'd first see if your snort box even has the packets sent to it, using the all-seeing tcpdump tool.run tcpdump -n -i (whatever interface) host (target of attack) and then re-run the attack.. does tcpdump spit out packets?As an example: snortbox # tcpdump -n -i eth0 host 10.1.1.1 testbox # attack 10.1.1.1snortbox should have packets from the attack dump to the screen. Note that the only reason I added -n to the tcpdump commandline is to prevent tcpdump from spending a long time trying to do reverse DNS lookups. If there's no DNS available tcpdump can hold off printing packets to the screen for a shockingly long time.
------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not seeing all traffic? Patrick Jones (Apr 23)
- Re: Snort not seeing all traffic? Matt Kettler (Apr 23)
- RE: Snort not seeing all traffic? PJ-ML (Apr 24)
- Re: Snort not seeing all traffic? Erick Mechler (Apr 24)
- Snort is not seeing all traffic... PJ-ML (May 07)
- Re: Snort is not seeing all traffic... Matt Kettler (May 08)
- Re: Snort is not seeing all traffic... PJ-ML (May 08)
- RE: Snort not seeing all traffic? PJ-ML (Apr 24)
- Re: Snort not seeing all traffic? Matt Kettler (Apr 23)
- Re: Snort not seeing all traffic? Erick Mechler (Apr 24)
- Re: Snort not seeing all traffic? PJ (Apr 24)
- Re: Snort not seeing all traffic? Erick Mechler (Apr 24)
- <Possible follow-ups>
- Re: Snort not seeing all traffic? PJ (Apr 24)