Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stream4 and other stuff

From: Phil Wood <cpw () lanl gov>
Date: Fri, 29 Jun 2001 13:53:03 -0600
Marty,

I'm getting extreme packet loss using Version 1.8-beta8 (Build 33).

Snort received 242899 packets and dropped 3692706(93.828%) packets

Breakdown by protocol:                Action Stats:
TCP: 233890     (5.943%)          ALERTS: 203
UDP: 7435       (0.189%)          LOGGED: 203
ICMP: 762        (0.019%)          PASSED: 4900
ARP: 0          (0.000%)
IPv6: 0          (0.000%)

Running a tcpdump is clean (at a different time but with similar
load), no packets dropped.  

LogMessage was called 9058 times prior to this with the message

  WARNING: Fishy TWH from client!

Is there a way to identify the fishy client with some S:s->D:d in the
message.

I'm running these preprocessors:

preprocessor defrag
preprocessor stream4
preprocessor stream4_reassemble
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $INTERNAL 5 3 $LOG/$SCAN
preprocessor portscan-ignorehosts: $IGNOREHOSTS

Thanks,

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: