Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Testing Rule

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 12 Jul 2017 13:42:46 +0000
How are you starting snort?

Are you using a config file?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Justin Pederson via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Reply-To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>>
Date: Wednesday, July 12, 2017 at 9:37 AM
To: waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>>
Cc: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: Re: [Snort-users] Testing Rule

I used the PCAP James mentioned and this is what I got. I can not scroll all the way to the top because of all the 
Warning: No preprocessors messages.  Is there a way to prevent these from showing.



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WARNING: No preprocessors configured for policy 0.
01/16-20:07:49.738998 64.215.158.34:80<http://64.215.158.34:80> -> 192.168.3.35:1136<http://192.168.3.35:1136>
TCP TTL:60 TOS:0x0 ID:9017 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x198EEF10  Ack: 0x4179B381  Win: 0x1920  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

===============================================================================
Run time for packet processing was 0.128121 seconds
Snort processed 1632 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
   Pkts/sec:         1632
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       782336
  Bytes in mapped regions (hblkhd):      21590016
  Total allocated space (uordblks):      672208
  Total free space (fordblks):           110128
  Topmost releasable block (keepcost):   39920
===============================================================================
Packet I/O Totals:
   Received:         1632
   Analyzed:         1632 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:         1632 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:         1632 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:         1632 (100.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:         1632
===============================================================================
Snort exiting
[root@localhost ~]#

On Tue, Jul 11, 2017 at 9:18 PM, <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:
On 07/11/2017 04:26 PM, Justin Pederson via Snort-users wrote:
James I tried this as well with 2 or 3 pcaps and no alerts happened.


you might want to make sure that you're starting your snort with "-k none" also...


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: