Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I'm sure you've seen this before..

From: Dorian ROSSE via Snort-users <snort-users () lists snort org>
Date: Thu, 3 Oct 2019 16:18:31 +0000
Have you tried to scan your file session in tcpdump if snort crash?

Télécharger Outlook pour Android<https://aka.ms/ghei36>
________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Lea H via Snort-users <snort-users () lists 
snort org>
Sent: Wednesday, October 2, 2019 1:43:29 AM
To: snort-users () lists snort org <snort-users () lists snort org>
Subject: [Snort-users] I'm sure you've seen this before..


,,_     -*> Snort! <*-
  o"  )~   Version 2.9.14.1 GRE (Build 15003)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3)
           Using PCRE version: 8.21 2011-12-12
           Using ZLIB version: 1.2.8

Error Message I am receiving is below. I am receiving about 100k logs every 5 minutes.

WARNING: IP dgm len > captured len

Steps I have taken to remediate the issue:

Commented out the decoder rule in “gen-msg.map” file

Added:
“-P 65535”
“-k none”
“--daq-var buffer_size_mb=1024”

to the Snort command during boot in rc.local.

Here is my command:

snort -A fast -P 65535 -k none -b -d -D -v -i vxlan0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/ 
--daq-var buffer_size_mb=1024 &

The current architecture is a mirrored session from AWS which is a new feature. It encapsulates the traffic, hence the 
vxlan port. I have configured the interface on the Snort server to decapsulate the traffic. Here is that config: ( I 
previously ran Suricata and have verified that the port is decapsulating the traffic)

ip link add vxlan0 type vxlan id 1 dev eth1 dstport 4789
ip link set up dev vxlan0


For more context, I am wanting to run Snort in NIDS(passive) mode so it inspects the traffic and alerts on matching 
signatures. I would also like to add raw packet data to the alert log. So far the only alerts I have seen are:

1:30524:3 – OpenSSL read overrun attempt.

When Snort runs, I see that 12033 Snort rules read and it passes the Snort test.

With how many errors I am receiving I think it is having a huge impact on Snorts ability to perform.

Any help would be appreciated, at this point I am spinning donuts in the mud.

Thanks


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: