Snort mailing list archives

Re: can't log send out packets

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 30 Jan 2012 11:38:40 -0500

Try adding "-k none" to your command line as well.


On Jan 30, 2012, at 11:18 AM, 快乐的狗(!) wrote:

yes ,I can see 8  go past on the screen .

I use this command

d:\Snort\bin>snort.exe -vde -i 1   -c d:\Snort\etc\snort.conf -l d:\Snort\log\

in snort.conf:

alert icmp any any <> any any  (content:"abcd";sid:10007777)

Action Stats:
     Alerts:            4 ( 16.000%)
     Logged:            4 ( 16.000%)
     Passed:            0 (  0.000%)

but when i disable ethernet card and enable wifi card ,

i can get              Alerts:            8

when i ping other IP.

why do  i only get 4 alerts when i use network card but get 8 alerts when use wifi network card ?

 
 
 
 
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/31-00:08:03.048366 00:26:55:BC:0C:1E -> 94:0C:6D:4B:50:2C type:0x800 len:0x4A
192.168.5.104 -> 192.168.5.20 ICMP TTL:64 TOS:0x0 ID:166 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:125  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/31-00:08:03.049248 94:0C:6D:4B:50:2C -> 00:26:55:BC:0C:1E type:0x800 len:0x4A
192.168.5.20 -> 192.168.5.104 ICMP TTL:64 TOS:0x0 ID:36126 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:125  ECHO REPLY
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/31-00:08:04.061159 00:26:55:BC:0C:1E -> 94:0C:6D:4B:50:2C type:0x800 len:0x4A
192.168.5.104 -> 192.168.5.20 ICMP TTL:64 TOS:0x0 ID:167 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:126  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/31-00:08:04.062072 94:0C:6D:4B:50:2C -> 00:26:55:BC:0C:1E type:0x800 len:0x4A
192.168.5.20 -> 192.168.5.104 ICMP TTL:64 TOS:0x0 ID:36127 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:126  ECHO REPLY
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/31-00:08:05.075069 00:26:55:BC:0C:1E -> 94:0C:6D:4B:50:2C type:0x800 len:0x4A
192.168.5.104 -> 192.168.5.20 ICMP TTL:64 TOS:0x0 ID:168 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:127  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/31-00:08:05.075958 94:0C:6D:4B:50:2C -> 00:26:55:BC:0C:1E type:0x800 len:0x4A
192.168.5.20 -> 192.168.5.104 ICMP TTL:64 TOS:0x0 ID:36128 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:127  ECHO REPLY
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/31-00:08:06.089050 00:26:55:BC:0C:1E -> 94:0C:6D:4B:50:2C type:0x800 len:0x4A
192.168.5.104 -> 192.168.5.20 ICMP TTL:64 TOS:0x0 ID:169 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:128  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/31-00:08:06.089964 94:0C:6D:4B:50:2C -> 00:26:55:BC:0C:1E type:0x800 len:0x4A
192.168.5.20 -> 192.168.5.104 ICMP TTL:64 TOS:0x0 ID:36129 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:128  ECHO REPLY
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

 
 
 
------------------ Original ------------------
From:  "Joel Esler"<jesler () sourcefire com>;
Date:  Sun, Dec 25, 2011 00:28 AM
To:  "hzmiaowang"<hzmiaowang () qq com>;
Cc:  "snort-users"<snort-users () lists sourceforge net>;
Subject:  Re: [Snort-users] can't log send out packets
 
If you run snort -vde on the proper interface, do you are all 8 go past on the screen without analyzation? (-c). 


--
Joel Esler

On Dec 22, 2011, at 6:51 AM, "hzmiaowang" <hzmiaowang () qq com> wrote:

hi:
I install snort 2.9.1 on win7 notebook. There are two network card in my computer.One is wireless,the other is
ethernet card. when i enable wireless netcard,i can get income packets and send packets in mysql database.but when
i swich to ethernet netcard ,i can only get income packets,can't get sent packets. so i can only get 4 rows when i
use

alert icmp any any -> any any (content:"abcd";sid:10007777) in snort.conf with ethernet netcad
from WIN7 ping other IP. while get 8 rows with wireless netcard.

I install snort 2.9.1 on another computer with only one netcard. It work right.(8 rows with ping)
I want use Snort to log all sql command when i use WIN7 to manager remote ORACLE database.

when i use snort -vde -c d:\snort\etc\snort.conf (with ethernet card)
I can see 8 ping packets,but why ony 4 income packets be loged?
thanks lot ,sorry for poor english
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: can't log send out packets 快乐的狗(!) (Jan 30)
- Re: can't log send out packets Joel Esler (Jan 30)