Snort mailing list archives
Re: Snort 3 Config File Question (3)
From: Jim Campbell <jim () w4bqp net>
Date: Tue, 25 Jul 2017 10:49:42 -0400
I looked at last night's unified2 output and found four sids being output; 116:408, 412, 414, and 444. I entered those into /etc/snort/disablesid.conf. Wasn't effective, even after restarting barnyard2. What program acts on disablesid.conf?
I did the "-A cmg" as you requested. The only packets being output were the DHCP requests and responses. In addition, I was able to do http requests to the internet with no problem while Snort was running so it was passing packets to the internet. Following are the shutdown statistics:
-- [0] enp1s0:enp4s0
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 106
analyzed: 106
allow: 89
block: 9
replace: 8
--------------------------------------------------
codec
total: 106 (100.000%)
arp: 43 ( 40.566%)
eth: 106 (100.000%)
ipv4: 62 ( 58.491%)
ipv6: 1 ( 0.943%)
tcp: 19 ( 17.925%)
udp: 44 ( 41.509%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
analyzed: 106
hard_evals: 102
raw_searches: 94
pkt_searches: 94
total_alerts: 27
logged: 27
--------------------------------------------------
search_engine
max_queued: 8
total_inserts: 19
total_unique: 18
non_qualified_events: 120
searched_bytes: 10422
--------------------------------------------------
appid
packets: 63
processed_packets: 63
mdns_flows: 2
--------------------------------------------------
arp_spoof
packets: 43
--------------------------------------------------
back_orifice
packets: 44
--------------------------------------------------
binder
packets: 30
inspects: 30
--------------------------------------------------
normalizer
tcp_ts_nop: 8
--------------------------------------------------
port_scan
packets: 63
--------------------------------------------------
reputation
packets: 48
--------------------------------------------------
stream
tcp_flows: 11
udp_flows: 19
--------------------------------------------------
stream_tcp
sessions: 11
max: 11
created: 11
released: 11
timeouts: 5
data_trackers: 11
segs_queued: 11
segs_released: 11
client_cleanups: 6
server_cleanups: 6
--------------------------------------------------
stream_udp
sessions: 19
max: 19
created: 37
released: 37
timeouts: 18
--------------------------------------------------
wizard
udp_scans: 44
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 1
--------------------------------------------------
timing
runtime: 00:02:52
seconds: 172.585220
packets: 106
pkts/sec: 0
o")~ Snort exiting
On 7/25/2017 12:28 AM, Russ via Snort-users wrote:
Need more data to help you. Please try a simple test and send the shutdown stats. Also, until you get things going, you might want to try -A cmg instead of unified2. The text output is a little easier to deal with. Since you have DHCP you may want to disable 116:412 which you show below.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Victor Roemer via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Russ via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Noah Dietrich (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- <Possible follow-ups>
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)
- Re: Snort 3 Config File Question (3) Russ via Snort-users (Jul 24)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 25)
- Re: Snort 3 Config File Question (3) wkitty42 (Jul 25)
- Re: Snort 3 Config File Question (3) Jim Campbell (Jul 24)