Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alerts not Detected during Import?

From: Erek Adams <erek () snort org>
Date: Thu, 26 Jun 2003 12:30:58 -0400 (EDT)
On Thu, 26 Jun 2003, Dusty Hall wrote:


We are experiencing a problem with Snort not reporting Alerts that we
have in our rules files.  Here's some background:

We copy our Snort tcpdump logs from our sniffer to our MySQL/ACID
system and then import the tcpdump logs into ACID/MySQL.  From the looks
of our alert files the Specific alerts were detected by our sniffer but
not by Snort on our DB box.  So what I'm trying to ask is, does the
tcpdump log files from our sniffer box have all detected alerts in
tcpdump format that were sniffed on the wire?  Is there enough
information from the tcpdump files from our sniffer to process again and
pull out the same alerts?  Here's the steps we use: (Yes we have
identicial rules on both systems and both have the same version of
Snort.)


[...good info snipped...]

Yes, there is a reason.

It has to do with stream4.  stream4 looks at all the packets on the net
and tracks state and streams.  snort1 has the view of the network, while
snort2 only has the tcpdump file generated by snort1.  The tcpdump file
_only_ has the packets that triggered the alert--Not the previous ones,
which is what stream4 uses to track things.  So snort2 won't alert on any
rule that has to do with 'flow'.

A quick bit of greping shows:

        [erek@foofus]/usr/local/build/cvs/snort/rules>wc -l *|tail -1
        3171 total
        [erek@foofus]/usr/local/build/cvs/snort/rules>grep -i flow *.rules
        | wc -l
        1511

So there's roughly half the rules that won't fire on snort2.  It's not
really a 'bug', it's just more a 'consequence'.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: