Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help!! Problem testing Snort

From: <ravivsn () roc co in>
Date: Mon, 9 Feb 2004 19:53:05 +0530 (IST)
What are you expecting from snort ;) to generate false positives :)
Snort current version is now improved to the version which generated false
positives.
Snort would have generated BAD-traffic because may be stick is generating
malformed packets.
Hmm, I understood your english :) Its not bad.
Cheers,
-Ravi
Rendezvous On Chip (I) Pvt Ltd
http://www.rocsys.com




Hi! Please I need help!!

I'm testing Snort with Stick. I run Stick with Snort signatures, but
Snort doesn't detect them how I expected. I only get a lot of identical
alerts like this:

snort_decoder: Invalid UDP header, length field <8
snort_decoder:Unknown Datagram Decoding Problem

I get an important number of packets discard too, but I don't understand
what this exactly means and if is there any relation. I'm really worried
because I'm not sure if the detection motor is running well about
signatures detection. Most of time, Snort sends preprocessors messages
(alerts) except some ICMP or BAD-TRAFFIC rules alerts. It seems strange,
doesn't it?

Snort analyzed 3010 out of 3010 packets, dropping 0(0.000%) packets

Breakdown by protocol:      Action Stats:

TCP: 2122 (70.498%)         ALERTS: 368

UDP: 238 (7.907%)           LOGGED: 736

ICMP: 622 (20.664%)         PASSED: 0

ARP: 16 (0.532%)

EAPOL: 0 (0.000%)

IPv6: 0 (0.000%)

IPX: 0 (0.000%)

OTHER: 0 (0.000%)

DISCARD: 250 (8.306%)

I'm sorry if my English is difficult to understand!!

Cheers!!



---------------------------------

    Antivirus #8226; Filtros antispam #8226; 6 MB gratis
    ¿Todavía no tienes un correo inteligente?






-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: