some packets not seen?

[Siim Põder <siim () p6drad-teel net>]

Hi.

I have a problem that some/all/most packets are not seen by my rules. In
order to show the problem, I made the conf as simple as possible (2.8.3)

# dirs
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so

# output
output alert_syslog: LOG_AUTH LOG_ALERT
include ruleset.conf

and only this rule:
alert tcp SRCIP any -> DSTIP DSTPORT (msg:"packet detected"; sid:33001;
gid:1; rev:1; )

When i initiate connection from SRCIP to DSTIP:DSTPORT, only one alert
is generated. from this simplistic configuration i would expect one
alert per packet (syn, ack, push, fin, ack), but only the first syn
seems to be seen (or maybe the first ack):

Sep 15 11:45:54 box snort[20223]: [1:33001:1] packet detected {TCP}
SRCIP:52626 -> DSTIP:DSTPORT

I'm not sure if it should make any difference, but the connections are
initiated from the machine running snort in this case (its an 64bit
machine, if it makes a difference).

My question is, shouldn't I see all the packets (in 1 direction)
generating alerts in this case? If not, why? How can I make sure that a
rule gets all the data sent?

I stumbled on this problem (or misunderstanding from my part) while
debugging a dynamic rule that wasn't alerting on data sent from local
machine, only for the payload coming from remote machines.

Siim

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users