Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 3 Aug 2001 10:07:26 +1200
Well that didn't take long.

There is something amiss - either with my system or with snort.

I dialed into an ISP and did a ISA "attack" against our Web server. 

tcpdump running on the snort host picked up the port 80 packets (tcpdump -s
65000 -w tcpdump.log - then ran ethereal over it - saw the content). Snort
didn't catch it. This was with a snort-1.8.1-beta5 that had been running for
3 days.

I then restarted snort, did the attack again - and snort picked it up.

Running "ldd" against both tcpdump and snort show the same pcap and libnet
libraries, so I'm leaning towards a bug myself... Looks like snort is OK for
a while, and then starts loosing things.

Anything else I can do to find the fault?

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: