Snort mailing list archives
Re: Snort 3 Config File Question (3)
From: Russ via Snort-users <snort-users () lists snort org>
Date: Tue, 25 Jul 2017 00:28:29 -0400
Need more data to help you. Please try a simple test and send the shutdown stats. Also, until you get things going, you might want to try -A cmg instead of unified2. The text output is a little easier to deal with. Since you have DHCP you may want to disable 116:412 which you show below.
On 7/24/17 11:28 PM, Jim Campbell wrote:
I should have added that the Snort IPS is positioned between the DSL modem and the firewall. I just discovered that this is a normal DHCP request. So even though it looks strange it isn't. I still don't understand why Snort is choking off my connection to the internetOn 7/24/2017 8:50 PM, Jim Campbell wrote:Problems. While Snort is happy with the new Rules file it is also keeping me from doing anything useful on the internet. Also, the packets it is logging to the Unified2 log are strange. For example:(Event)sensor id: 0 event id: 133 event second: 1500926568 event microsecond: 248613sig id: 412 gen id: 116 revision: 1 classification: 29priority: 3 ip source: 0.0.0.0 ip destination: 255.255.255.255 src port: 68 dest port: 67 ip_proto: 17 impact_flag: 0 blocked: 0mpls label: 0 vlan id: 0 policy id: 0 appid: Packet sensor id: 0 event id: 133 event second: 1500926568 packet second: 1500926568 packet microsecond: 248613 linktype: 1 packet_length: 342 [ 0] FF FF FF FF FF FF B0 7F B9 1A 2E FF 08 00 45 10 ..............E. [ 16] 01 48 00 00 00 00 80 11 39 96 00 00 00 00 FF FF .H......9....... [ 32] FF FF 00 44 00 43 01 34 6B 20 01 01 06 00 83 96 ...D.C.4k ...... [ 48] 56 5B 00 16 00 00 00 00 00 00 00 00 00 00 00 00 V[.............. [ 64] 00 00 00 00 00 00 B0 7F B9 1A 2E FF 00 00 00 00 ................ [ 80] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 96] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 112] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 144] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 256] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 272] 00 00 00 00 00 00 63 82 53 63 35 01 01 37 07 01 ......c.Sc5..7.. [ 288] 1C 02 03 0F 06 0C FF 00 00 00 00 00 00 00 00 00 ................ [ 304] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 320] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 336] 00 00 00 00 00 00 ......I'm not accustomed to this format and my Ethernet tap is broken. Until I get the parts I have on order to build a new tap so I can get Wireshark on the job I'm going to have to work on other things. Once I have the new tap built I will put Snort back online and share what I find.Jim_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Victor Roemer via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Russ via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Noah Dietrich (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- <Possible follow-ups>
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Russ via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 25)
- Re: Snort 3 Config File Question (3) wkitty42 (Jul 25)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)