Snort mailing list archives
Re: Span Port to Fiber Tap Problems
From: "Shawn Truax" <Shawn.Truax () mbs gov on ca>
Date: Thu, 23 Oct 2003 02:43:40 -0400
Try getting a vulnerability assessment tool and to a test against a machine behind the Snort Sensor. (Nessus or ISS Realsecure would work) Essentially this will simulate a number of attacks to your network and usually trigger a wide variety of alerts based on the type of vulnerabilities you choose. If your sensor doesn't trigger at all after you run the scan then you might want to verify your IDS placement. Also verify what rules you have on and make sure you don't have a pass rule set somewhere that you don't know about (pass shows 54000 in your log below). If its still not working after all that I am not sure what to suggest trying. Someone else here might have some experience with fibre and snort. I would check your CPU and memory utilization as well and see if its maxing out. Shawn
"Dusty Hall" <halljer () auburn edu> 10/20/03 10:28am >>>
We recently purchased a Fiber tap so we could move away from a Span port. After putting the tap into place and setting up a new system to monitor traffic off this tap I can't quite seem to get Snort working correctly. Using: Snort 2.0.1 Intel Corp. 82544EI Gigabit Ethernet Controller Red Hat 9.0 (Dual Xeon CPU 2.80GHz with 2GB of Memory) Startup Config Below We see tons of traffic using tcpdump but Snort doesn't alert on much more than the CHAT Rules & Portscans. Is it dropping too many packets, it reports dropping 18% (below). Is there any configuration settings that I might need to change? Thanks, -Dusty *-------------------------------- [root@localhost snort_logs]# /usr/local/bin/snort -c /usr/local/snort/etc/snort.conf -o -i eth0 Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 OpenPcap() device eth0 network lookup: eth0: no IPv4 address assigned --== Initializing Snort ==-- Rule application order changed to Pass->Alert->Log Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /usr/local/snort/etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 1 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Using LOCAL time Conversation Config: KeepStats: 0 Conv Count: 32000 Timeout : 60 Alert Odd?: 0 Allowed IP Protocols: All 1669 Snort rules read... 1669 Option Chains linked into 241 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->pass->activation->dynamic->alert->log->p2p --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.1 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) =============================================================================== Snort analyzed 619449 out of 763120 packets, dropping 143671(18.827%) packets Breakdown by protocol: Action Stats: TCP: 362228 (47.467%) ALERTS: 132 UDP: 24004 (3.146%) LOGGED: 126 ICMP: 85282 (11.175%) PASSED: 54744 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 4112 (0.539%) DISCARD: 0 (0.000%) =============================================================================== Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 280 (0.037%) Fragment Trackers: 142 Rebuilt IP Packets: 138 Frag elements used: 276 Discarded(incomplete): 0 Discarded(timeout): 134 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 362228 (47.467%) Stream Trackers: 65924 Stream flushes: 3223 Segments used: 6647 Stream4 Memory Faults: 8531 =============================================================================== Snort exiting ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Span Port to Fiber Tap Problems Dusty Hall (Oct 20)
- <Possible follow-ups>
- RE: Span Port to Fiber Tap Problems larosa, vjay (Oct 20)
- Re: Span Port to Fiber Tap Problems Shawn Truax (Oct 23)
- RE: Span Port to Fiber Tap Problems larosa, vjay (Oct 23)
- RE: Span Port to Fiber Tap Problems Dusty Hall (Oct 23)
- Re: Span Port to Fiber Tap Problems Jeff Nathan (Oct 25)