Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Span Port to Fiber Tap Problems

From: "Shawn Truax" <Shawn.Truax () mbs gov on ca>
Date: Thu, 23 Oct 2003 02:43:40 -0400
Try getting a vulnerability assessment tool and to a test against a machine behind the Snort Sensor.  (Nessus or ISS 
Realsecure would work)  Essentially this will simulate a number of attacks to your network and usually trigger a wide 
variety of alerts based on the type of vulnerabilities you choose.  If your sensor doesn't trigger at all after you run 
the scan then you might want to verify your IDS placement.  Also verify what rules you have on and make sure you don't 
have a pass rule set somewhere that you don't know about (pass shows 54000 in your log below).  If its still not 
working after all that I am not sure what to suggest trying.  Someone else here might have some experience with fibre 
and snort.  I would check your CPU and memory utilization as well and see if its maxing out.

Shawn


"Dusty Hall" <halljer () auburn edu> 10/20/03 10:28am >>>


  We recently purchased a Fiber tap so we could move away from a Span port.  After putting the tap into place and 
setting up a new system to monitor traffic off this tap I can't quite seem to get Snort working correctly.

Using:
Snort 2.0.1
Intel Corp. 82544EI Gigabit Ethernet Controller
Red Hat 9.0 (Dual Xeon CPU 2.80GHz with 2GB of Memory)
Startup Config Below

  We see tons of traffic using tcpdump but Snort doesn't alert on much more than the CHAT Rules & Portscans.  Is it 
dropping too many packets, it reports dropping 18% (below).  Is there any configuration settings that I might need to 
change?

Thanks,

-Dusty



*--------------------------------

[root@localhost snort_logs]# /usr/local/bin/snort -c /usr/local/snort/etc/snort.conf -o -i eth0
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0
OpenPcap() device eth0 network lookup: 
        eth0: no IPv4 address assigned

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /usr/local/snort/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30

Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 1
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433 
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Using LOCAL time
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

1669 Snort rules read...
1669 Option Chains linked into 241 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->pass->activation->dynamic->alert->log->p2p

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.1 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)


===============================================================================
Snort analyzed 619449 out of 763120 packets, dropping 143671(18.827%) packets

Breakdown by protocol:                Action Stats:
    TCP: 362228     (47.467%)         ALERTS: 132       
    UDP: 24004      (3.146%)          LOGGED: 126       
   ICMP: 85282      (11.175%)         PASSED: 54744     
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 4112       (0.539%)
DISCARD: 0          (0.000%)
===============================================================================
Wireless Stats:
Breakdown by type:
    Management Packets: 0          (0.000%)
    Control Packets:    0          (0.000%)
    Data Packets:       0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 280        (0.037%)
    Fragment Trackers: 142       
   Rebuilt IP Packets: 138       
   Frag elements used: 276       
Discarded(incomplete): 0         
   Discarded(timeout): 134       
  Frag2 memory faults: 0         
===============================================================================
TCP Stream Reassembly Stats:
        TCP Packets Used: 362228     (47.467%)
         Stream Trackers: 65924     
          Stream flushes: 3223      
           Segments used: 6647      
   Stream4 Memory Faults: 8531      
===============================================================================
Snort exiting



-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise
Linux in the Boardroom; in the Front Office; & in the Server Room
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: