Snort mailing list archives
Re: Snort-users Digest, Vol 33, Issue 10
From: Jimmy Tharel <jtharel () yahoo com>
Date: Thu, 12 Feb 2009 10:04:08 -0800 (PST)
The checksums is definitely the problem Adding the -k none allows me to see what I expect and all my rules seem to be
alerting now. However, I'm not sending any traffic from my snort box. How can I troubleshoot this further? Any idea?
By the way...very good catch! I'm glad I included the Snort output!
________________________________
From: "snort-users-request () lists sourceforge net" <snort-users-request () lists sourceforge net>
To: snort-users () lists sourceforge net
Sent: Thursday, February 12, 2009 10:27:18 AM
Subject: Snort-users Digest, Vol 33, Issue 10
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-owner () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. Re: Snort not seeing all traffic (Joel Esler)
2. Re: Snort not seeing all traffic (Todd Wease)
3. Re: Snort not seeing all traffic (Jack Pepper)
----------------------------------------------------------------------
Message: 1
Date: Thu, 12 Feb 2009 12:21:02 -0500
From: Joel Esler <eslerj () gmail com>
Subject: Re: [Snort-users] Snort not seeing all traffic
To: Jimmy Tharel <jtharel () yahoo com>
Cc: snort-users () lists sourceforge net
Message-ID:
<8c643a500902120921v89bfcfeq86547bf24d0f6deb () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1
Jimmy, it's hard for us to troubleshoot was is going on if Snort, did
indeed drop packets. We can't rule out with 100% certainty that Snort
isn't seeing the traffic, if in fact, it's dropping packets.
Can you capture a pcap of the traffic, run Snort against the pcap?
That way we can rule out dropped packets?
Joel
It's obviously seeing the traffic, as you are getting alerts.
On Thu, Feb 12, 2009 at 11:54 AM, Jimmy Tharel <jtharel () yahoo com> wrote:
Initially I thought I had a problem with a rule that I wrote but it appears
Snort isn't seeing all of the data coming over the wire. I wrote a simple
rule:
alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";
classtype:attempted-dos; sid:2000000; rev:1;)
I sent 50 packets across the wire and Snort only picked up 10 of them and
alerted. I had tcpdump running at the same time and it picked up all of
them.
I'm currently running 2.8.3.2. It doesn't look like I'm dropping packets
(especially since tcpdump sees the traffic, and the snort output shows very
little packet loss), my cpu and memory are not be taxed at all. Currently I
only have the one rule enable plus the preprocessors.
Does anybody have any idea what could be happening? If you need any more
info I will be happy to share it.
Below are my snort.conf and the output of Snort running for a brief period
of time when the 50 packets where sent.
Here is my snort.conf:
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS [10.196.4.1,10.196.4.2]
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS
[10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500 \
no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
include classification.config
include reference.config
include $RULE_PATH/local.rules
include threshold.conf
Here is the output of Snort:
un time prior to being shutdown was 28.595880 seconds
===============================================================================
Packet Wire Totals:
Received: 908053
Analyzed: 907663 (99.957%)
Dropped: 380 (0.042%)
Outstanding: 10 (0.001%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
ETH: 909784 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 907996 (99.803%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 901746 (99.116%)
UDP: 3110 (0.342%)
ICMP: 1007 (0.111%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 506 (0.056%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 1294 (0.142%)
DISCARD: 0 (0.000%)
InvChkSum: 627722 (68.997%)
S5 G 1: 0 (0.000%)
S5 G 2: 2121 (0.233%)
Total: 909784
===============================================================================
Action Stats:
ALERTS: 10
LOGGED: 10
PASSED: 0
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 15463
TCP sessions: 15463
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 15463
TCP StreamTrackers Deleted: 15463
TCP Timeouts: 0
TCP Overlaps: 1
TCP Segments Queued: 8631
TCP Segments Released: 8631
TCP Rebuilt Packets: 4075
TCP Segments Used: 4260
TCP Discards: 19042
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 1042
GET methods: 1305
Headers extracted: 2342
Header Cookies extracted: 821
Post parameters extracted: 15
Unicode: 0
Double unicode: 0
Non-ASCII representable: 171
Base 36: 0
Directory traversals: 0
Extra slashes ("//"): 26
Self-referencing paths ("./"): 0
Total packets processed: 218047
===============================================================================
SSL Preprocessor:
SSL packets decoded: 1523
Client Hello: 12
Server Hello: 24
Certificate: 1
Server Done: 85
Client Key Exchange: 6
Server Key Exchange: 0
Change Cipher: 108
Finished: 0
Client Application: 30
Server Application: 273
Alert: 9
Unrecognized records: 1169
Completed handshakes: 2
Bad handshakes: 0
Sessions ignored: 5
Detection disabled: 0
===============================================================================
Snort exiting
-- Joel Esler http://www.joelesler.net ------------------------------ Message: 2 Date: Thu, 12 Feb 2009 12:25:29 -0500 From: Todd Wease <twease () sourcefire com> Subject: Re: [Snort-users] Snort not seeing all traffic To: Jimmy Tharel <jtharel () yahoo com> Cc: snort-users () lists sourceforge net Message-ID: <49945B89.5040406 () sourcefire com> Content-Type: text/plain; charset=ISO-8859-1 Hi Jimmy, Looks like you might be sending traffic from the same box as Snort is running on and TCP checksum offloading is occurring. I noticed this from the stats: InvChkSum: 627722 (68.997%) That's alot of invalid checksums. Try adding "-k none" to your command line while testing. This will disable Snort checking checksums. Todd Jimmy Tharel wrote:
Initially I thought I had a problem with a rule that I wrote but it
appears Snort isn't seeing all of the data coming over the wire. I
wrote a simple rule:
alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";
classtype:attempted-dos; sid:2000000; rev:1;)
I sent 50 packets across the wire and Snort only picked up 10 of them
and alerted. I had tcpdump running at the same time and it picked up
all of them.
I'm currently running 2.8.3.2. It doesn't look like I'm dropping
packets (especially since tcpdump sees the traffic, and the snort
output shows very little packet loss), my cpu and memory are not be
taxed at all. Currently I only have the one rule enable plus the
preprocessors.
Does anybody have any idea what could be happening? If you need any
more info I will be happy to share it.
Below are my snort.conf and the output of Snort running for a brief
period of time when the 50 packets where sent.
Here is my snort.conf:
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS [10.196.4.1,10.196.4.2]
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS
[10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500 \
no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
include classification.config
include reference.config
include $RULE_PATH/local.rules
include threshold.conf
Here is the output of Snort:
un time prior to being shutdown was 28.595880 seconds
===============================================================================
Packet Wire Totals:
Received: 908053
Analyzed: 907663 (99.957%)
Dropped: 380 (0.042%)
Outstanding: 10 (0.001%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
ETH: 909784 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 907996 (99.803%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 901746 (99.116%)
UDP: 3110 (0.342%)
ICMP: 1007 (0.111%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 506 (0.056%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 1294 (0.142%)
DISCARD: 0 (0.000%)
InvChkSum: 627722 (68.997%)
S5 G 1: 0 (0.000%)
S5 G 2: 2121 (0.233%)
Total: 909784
===============================================================================
Action Stats:
ALERTS: 10
LOGGED: 10
PASSED: 0
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 15463
TCP sessions: 15463
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 15463
TCP StreamTrackers Deleted: 15463
TCP Timeouts: 0
TCP Overlaps: 1
TCP Segments Queued: 8631
TCP Segments Released: 8631
TCP Rebuilt Packets: 4075
TCP Segments Used: 4260
TCP Discards: 19042
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 1042
GET methods: 1305
Headers extracted: 2342
Header Cookies extracted: 821
Post parameters extracted: 15
Unicode: 0
Double unicode: 0
Non-ASCII representable: 171
Base 36: 0
Directory traversals: 0
Extra slashes ("//"): 26
Self-referencing paths ("./"): 0
Total packets processed: 218047
===============================================================================
SSL Preprocessor:
SSL packets decoded: 1523
Client Hello: 12
Server Hello: 24
Certificate: 1
Server Done: 85
Client Key Exchange: 6
Server Key Exchange: 0
Change Cipher: 108
Finished: 0
Client Application: 30
Server Application: 273
Alert: 9
Unrecognized records: 1169
Completed handshakes: 2
Bad handshakes: 0
Sessions ignored: 5
Detection disabled: 0
===============================================================================
Snort exiting
------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------
Message: 3
Date: Thu, 12 Feb 2009 11:27:11 -0600
From: Jack Pepper <pepperjack () afferentsecurity com>
Subject: Re: [Snort-users] Snort not seeing all traffic
To: Jimmy Tharel <jtharel () yahoo com>
Cc: snort-users () lists sourceforge net
Message-ID:
<20090212112711.4p7oftafvo4csoo4 () mail afferentsecurity com>
Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
format="flowed"
Looks like you're dropping packets. funny thing about dropping
packets: there's no way to know which packets were dropped. Your
sample looked at about a million packets in less than 30 seconds.
jp
Quoting Jimmy Tharel <jtharel () yahoo com>:
Initially I thought I had a problem with a rule that I wrote but it
appears Snort isn't seeing all of the data coming over the wire. I
wrote a simple rule:
alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";
classtype:attempted-dos; sid:2000000; rev:1;)
I sent 50 packets across the wire and Snort only picked up 10 of
them and alerted. I had tcpdump running at the same time and it
picked up all of them.
I'm currently running 2.8.3.2. It doesn't look like I'm dropping
packets (especially since tcpdump sees the traffic, and the snort
output shows very little packet loss), my cpu and memory are not be
taxed at all. Currently I only have the one rule enable plus the
preprocessors.
Does anybody have any idea what could be happening? If you need any
more info I will be happy to share it.
Below are my snort.conf and the output of Snort running for a brief
period of time when the 50 packets where sent.
Here is my snort.conf:
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS [10.196.4.1,10.196.4.2]
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS
[10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500 \
no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
include classification.config
include reference.config
include $RULE_PATH/local.rules
include threshold.conf
Here is the output of Snort:
un time prior to being shutdown was 28.595880 seconds
===============================================================================
Packet Wire Totals:
Received: 908053
Analyzed: 907663 (99.957%)
Dropped: 380 (0.042%)
Outstanding: 10 (0.001%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
ETH: 909784 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 907996 (99.803%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 901746 (99.116%)
UDP: 3110 (0.342%)
ICMP: 1007 (0.111%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 506 (0.056%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 1294 (0.142%)
DISCARD: 0 (0.000%)
InvChkSum: 627722 (68.997%)
S5 G 1: 0 (0.000%)
S5 G 2: 2121 (0.233%)
Total: 909784
===============================================================================
Action Stats:
ALERTS: 10
LOGGED: 10
PASSED: 0
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 15463
TCP sessions: 15463
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 15463
TCP StreamTrackers Deleted: 15463
TCP Timeouts: 0
TCP Overlaps: 1
TCP Segments Queued: 8631
TCP Segments Released: 8631
TCP Rebuilt Packets: 4075
TCP Segments Used: 4260
TCP Discards: 19042
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 1042
GET methods: 1305
Headers extracted: 2342
Header Cookies extracted: 821
Post parameters extracted: 15
Unicode: 0
Double unicode: 0
Non-ASCII representable: 171
Base 36: 0
Directory traversals: 0
Extra slashes ("//"): 26
Self-referencing paths ("./"): 0
Total packets processed: 218047
===============================================================================
SSL Preprocessor:
SSL packets decoded: 1523
Client Hello: 12
Server Hello: 24
Certificate: 1
Server Done: 85
Client Key Exchange: 6
Server Key Exchange: 0
Change Cipher: 108
Finished: 0
Client Application: 30
Server Application: 273
Alert: 9
Unrecognized records: 1169
Completed handshakes: 2
Bad handshakes: 0
Sessions ignored: 5
Detection disabled: 0
===============================================================================
Snort exiting
-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------ ------------------------------------------------------------------------------ ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 33, Issue 10 *******************************************
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users Digest, Vol 33, Issue 10 Jimmy Tharel (Feb 12)
- Re: Snort-users Digest, Vol 33, Issue 10 Todd Wease (Feb 12)