Snort mailing list archives

Re: No TCP alerts, only UDP and ICMP

From: Y M <snort () outlook com>
Date: Mon, 10 Dec 2012 21:19:49 +0300

Hi Shane,

No filters are being used at all.
Alerts on the reporting GUI were far less than expected and this raised some questions. My initial doubt was that the 
TCP traffic was filtered right before getting into the sensor. This was not the case as I was able to see all TCP 
traffic passing through by hocking another machine with wireshark to the link. Then I ran tcpdump from the sensor and 
sure enough it was reading the expected TCP traffic. Next step was to verify that Snort is actually seeing TCP traffic, 
which it is in verbose mode only. All works fine with ICMP and UDP including unified2/barnyard2, but not TCP.

Thanks.
YM
________________________________
From: Castle, Shane<mailto:scastle () bouldercounty org>
Sent: ‎12/‎10/‎2012 8:58 PM
To: Y M<mailto:snort () outlook com>; Lay, James<mailto:james.lay () wincofoods com>; snort-users () lists sourceforge 
net<mailto:snort-users () lists sourceforge net>
Subject: RE: [Snort-users] No TCP alerts, only UDP and ICMP

Was wondering - you wouldn't by chance be running with a filter via the "-F" runtime switch (or "config bpf_file" in 
snort.conf), would you?

--
Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Y M [mailto:snort () outlook com]
Sent: Monday, December 10, 2012 10:29
To: Lay, James; snort-users () lists sourceforge net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP

Hi Lay,

Sorry for my late reply. I wouldn't be able to provide a pcap file, at least for now.

However, I tried that in Snort, using the -K pcap (I also tried the -b switch) and read that through tcpdump, and I 
only got UDP packets, with some ICMPs. Running Snort in verbose mode shows that the majority of the traffic is in fact 
TCP.

Thanks.
YM
________________________________

From: Lay, James <mailto:james.lay () wincofoods com>
Sent: ‎12/‎10/‎2012 7:14 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP



Got a small pcap you could share?



James



From: Y M [mailto:snort () outlook com]
Sent: Monday, December 10, 2012 9:01 AM
To: Justin Knox
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP



Hi Justin,

Yes I did. I also tried/compared with previously working conf files, conf file in the tarball, and the conf  file from 
Snort labs but the behavior remained the same across all configurations.

Thanks.
YM

________________________________

From: Justin Knox <mailto:jknox () indexzero org>
Sent: ‎12/‎10/‎2012 6:49 PM
To: Y M <mailto:snort () outlook com>
Cc: Marcos Rodriguez <mailto:marcos.e.rodriguez () gmail com> ; snort-users () lists sourceforge net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP

Hi YM,

have you verified that frag3 and stream5 are configured and enabled to support tcp?



-Justin



On Mon, Dec 10, 2012 at 10:23 AM, Y M <snort () outlook com> wrote:

Hi Marcos,

Thanks for your reply. I did try with -k none as suggested and I'm getting the same results, no TCP alerts, just UDP 
and ICMP.

________________________________

From: Marcos Rodriguez <mailto:marcos.e.rodriguez () gmail com>
Sent: 12/10/2012 5:50 PM
To: Y M <mailto:snort () outlook com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP

Hi YM,

Could you try again by adding '-k none' please?


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

No TCP alerts, only UDP and ICMP Y M (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Marcos Rodriguez (Dec 10)
- <Possible follow-ups>
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
  - Re: No TCP alerts, only UDP and ICMP Justin Knox (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
  - Re: No TCP alerts, only UDP and ICMP Lay, James (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
  - Re: No TCP alerts, only UDP and ICMP Castle, Shane (Dec 10)
    - Re: No TCP alerts, only UDP and ICMP JJC (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
  - unsubscribe Thomison, Lee (Dec 10)
    - Re: unsubscribe Joel Esler (Dec 10)
  - Re: No TCP alerts, only UDP and ICMP Peter Bates (Dec 11)
    - Re: No TCP alerts, only UDP and ICMP Russ Combs (Dec 11)
    - Re: No TCP alerts, only UDP and ICMP Y M (Dec 11)