Re: Snort processes more packets than in pcap?

[Joel Esler <jesler () sourcefire com>]

I can't pull the pcap down right now, but I am thinking that, since it's
SMB, you have two packets in the pcap, which accounts for 2 of the 3, the
3rd is most likely the reassembled pseudo packet from the SMB stream.

J

On Mon, Dec 14, 2009 at 9:03 AM, danjobkeule <danjobkeule () web de> wrote:

> Hi, i'm using snort-2.8.3.1. Here is the link to the pcap:
>
> http://uploaded.to/file/la8d4t
>
> Danjobkeule
>
>
> > Hi,
> > what's snort version you use please?
> > maybe send pcap to list ?
> > Regards
> > Rmkml
> > Crusoe-Researches.com
> >
> >
> > On Wed, 9 Dec 2009, danjobkeule wrote:
> >
> > > dear community,
> > >
> > > i am wondering about snort processing 3 packets, although in the pcap i
> > > feed snort with are just 2 packets (both are SMB packets).
> > > How can that be? I assume that some preprocessors "generate" a new
> > > packet, but could anybody give an explanation for that?
> ===============================================================================
> > > Snort processed 3
> > > packets.
> ===============================================================================
> > > Breakdown by protocol (includes rebuilt
> > > packets):
> > > ETH: 3
> > > (100.000%)
> > > ETHdisc: 0
> > > (0.000%)
> > > VLAN: 0
> > > (0.000%)
> > > IPV6: 0
> > > (0.000%)
> > > IP6 EXT: 0
> > > (0.000%)
> > > IP6opts: 0
> > > (0.000%)
> > > IP6disc: 0
> > > (0.000%)
> > > IP4: 3
> > > (100.000%)
> > > IP4disc: 0
> > > (0.000%)
> > > TCP 6: 0
> > > (0.000%)
> > > UDP 6: 0
> > > (0.000%)
> > > ICMP6: 0
> > > (0.000%)
> > > ICMP-IP: 0
> > > (0.000%)
> > > TCP: 2
> > > (66.667%)
> > > UDP: 0
> > > (0.000%)
> > > ICMP: 0
> > > (0.000%)
> > > TCPdisc: 0
> > > (0.000%)
> > > UDPdisc: 0
> > > (0.000%)
> > > ICMPdis: 0
> > > (0.000%)
> > > FRAG: 0
> > > (0.000%)
> > > FRAG 6: 0
> > > (0.000%)
> > > ARP: 0
> > > (0.000%)
> > > EAPOL: 0
> > > (0.000%)
> > > ETHLOOP: 0
> > > (0.000%)
> > > IPX: 0
> > > (0.000%)
> > > OTHER: 0
> > > (0.000%)
> > > DISCARD: 0
> > > (0.000%)
> > > InvChkSum: 0
> > > (0.000%)
> > > S5 G 1: 0
> > > (0.000%)
> > > S5 G 2: 1
> > > (33.333%)
> > > Total:
> > > 3
> ===============================================================================
> > > Action
> > > Stats:
> > >
> > > ALERTS:
> > > 1
> > >
> > > LOGGED:
> > > 1
> > >
> > > PASSED:
> > > 0
> ===============================================================================
> > > Stream5 statistics:
> > > Total sessions: 1
> > > TCP sessions: 1
> > > UDP sessions: 0
> > > ICMP sessions: 0
> > > TCP Prunes: 0
> > > UDP Prunes: 0
> > > ICMP Prunes: 0
> > > TCP StreamTrackers Created: 1
> > > TCP StreamTrackers Deleted: 1
> > > TCP Timeouts: 0
> > > TCP Overlaps: 0
> > > TCP Segments Queued: 1
> > > TCP Segments Released: 1
> > > TCP Rebuilt Packets: 1
> > > TCP Segments Used: 1
> > > TCP Discards: 0
> > > UDP Sessions Created: 0
> > > UDP Sessions Deleted: 0
> > > UDP Timeouts: 0
> > > UDP Discards: 0
> > > Events: 0
> ===============================================================================
> > > HTTP Inspect - encodings (Note: stream-reassembled packets included):
> > > POST methods: 0
> > > GET methods: 0
> > > Headers extracted: 0
> > > Header Cookies extracted: 0
> > > Post parameters extracted: 0
> > > Unicode: 0
> > > Double unicode: 0
> > > Non-ASCII representable: 0
> > > Base 36: 0
> > > Directory traversals: 0
> > > Extra slashes ("//"): 0
> > > Self-referencing paths ("./"): 0
> > > Total packets processed: 3
> ===============================================================================
> > >
> ===============================================================================
> > > Snort exiting
> ------------------------------------------------------------------------------
> > > Return on Information:
> > > Google Enterprise Search pays you back
> > > Get the facts.
> > > http://p.sf.net/sfu/google-dev2dev
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>
> ------------------------------------------------------------------------------
> Return on Information:
> Google Enterprise Search pays you back
> Get the facts.
> http://p.sf.net/sfu/google-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel



-- 
Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel