Snort mailing list archives
Re: No TCP alerts, only UDP and ICMP
From: Peter Bates <peter.bates () ucl ac uk>
Date: Tue, 11 Dec 2012 10:15:57 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 10/12/2012 19:15, Y M wrote:
Snort statistics, some of it at least: ICMP: 0.186% UDP: 17.929% TCP: 48.667% Dropped: 0 Analyzed: 247964 (100%)
It's a long shot, but I have seen this on a sensor that was only receiving one side of conversations due to a misconfiguration on the SPAN side (not all VLANs had been added to the monitoring session for in/out). The ICMP and UDP rules (particularly things like ZeroAccess) will always hit if you're seeing outbound only but the TCP rules that track state (using flowbits) will obviously never alert. It might be worth looking at a tcpdump from a specific source/destination just to confirm you are seeing outbound and inbound. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJQxwfdAAoJELhVoVpEMS6RAQsH/jz9hN/HL9MmJmAMi9yAlbZH 6TKx5TbXMy9wlxhcjYMiRiAlPad2mM1dEkr7JFVJoRmD6XTjtrZjWPG6Ybbkz4yI BTOdILXG4safHgg3kOkBKCAJTWzbRwUBC/MTv9cnk35GLT4XirjtUzJ+vjb4n/sH 0gdhwpspMCg7PE3UWUz3prQzIc8rzt4P0ZdOpr2ItnMc+9TxoN6lfhZ8b7R15Wmn zuTEzJqPAcI2K1Zak4dvkf4+XvdljdEFoF0li/RJXSvySb0x4nmTqGnY5vPD1vzQ 0gRlF+DqDVMpA2l5x50d8a02AmmK4IvUECL+db2+Ke9O2IVSAcV91yZpzNB/eZY= =tMDa -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: No TCP alerts, only UDP and ICMP, (continued)
- Re: No TCP alerts, only UDP and ICMP Justin Knox (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Lay, James (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Castle, Shane (Dec 10)
- Re: No TCP alerts, only UDP and ICMP JJC (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Castle, Shane (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 10)
- unsubscribe Thomison, Lee (Dec 10)
- Re: unsubscribe Joel Esler (Dec 10)
- Re: No TCP alerts, only UDP and ICMP Peter Bates (Dec 11)
- Re: No TCP alerts, only UDP and ICMP Russ Combs (Dec 11)
- Re: No TCP alerts, only UDP and ICMP Y M (Dec 11)
- unsubscribe Thomison, Lee (Dec 10)