Snort mailing list archives
Re: Testing Rule
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 12 Jul 2017 13:42:46 +0000
How are you starting snort? Are you using a config file? Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Justin Pederson via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> Reply-To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>> Date: Wednesday, July 12, 2017 at 9:37 AM To: waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> Cc: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: Re: [Snort-users] Testing Rule I used the PCAP James mentioned and this is what I got. I can not scroll all the way to the top because of all the Warning: No preprocessors messages. Is there a way to prevent these from showing. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/16-20:07:49.738998 64.215.158.34:80<http://64.215.158.34:80> -> 192.168.3.35:1136<http://192.168.3.35:1136> TCP TTL:60 TOS:0x0 ID:9017 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x198EEF10 Ack: 0x4179B381 Win: 0x1920 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Run time for packet processing was 0.128121 seconds Snort processed 1632 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 1632 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 782336 Bytes in mapped regions (hblkhd): 21590016 Total allocated space (uordblks): 672208 Total free space (fordblks): 110128 Topmost releasable block (keepcost): 39920 =============================================================================== Packet I/O Totals: Received: 1632 Analyzed: 1632 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 1632 (100.000%) VLAN: 0 ( 0.000%) IP4: 1632 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 1632 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 1632 =============================================================================== Snort exiting [root@localhost ~]# On Tue, Jul 11, 2017 at 9:18 PM, <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote: On 07/11/2017 04:26 PM, Justin Pederson via Snort-users wrote: James I tried this as well with 2 or 3 pcaps and no alerts happened. you might want to make sure that you're starting your snort with "-k none" also... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Testing Rule tantioification . via Snort-users (Jul 08)
- Re: Testing Rule James Lay (Jul 09)
- <Possible follow-ups>
- Re: Testing Rule tantioification . via Snort-users (Jul 11)
- Re: Testing Rule James Lay (Jul 11)
- Re: Testing Rule Justin Pederson via Snort-users (Jul 11)
- Re: Testing Rule James Lay (Jul 11)
- Re: Testing Rule wkitty42 (Jul 11)
- Re: Testing Rule Justin Pederson via Snort-users (Jul 12)
- Re: Testing Rule Al Lewis (allewi) via Snort-users (Jul 12)
- Re: Testing Rule Justin Pederson via Snort-users (Jul 12)
- Re: Testing Rule Al Lewis (allewi) via Snort-users (Jul 12)
- Re: Testing Rule James Lay (Jul 11)