Snort mailing list archives

Re: Fwd: Snort blocking connection but not logging the drop

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 15 May 2014 19:09:25 +0000

________________________________
From: Cody Brugh [cbrugh () gmail com]
Sent: Thursday, May 15, 2014 2:55 PM
To: Russ Combs (rucombs)
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

do you suggest maybe changing from afpacket to something else for DAQ?

* You could try that.  You should post to snort-users to see if other users have had this issue.  This doesn't appear 
to be a bug.

--daq afpacket

On Thu, May 15, 2014 at 2:45 PM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Thursday, May 15, 2014 2:33 PM

To: Russ Combs (rucombs)
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

fetch ... is still being blocked and no alerts show.....

* If it is still being blocked it isn't Snort.  It could be your DAQ, but I doubt that too.  You can double check 
Snort's shutdown / usr1 stats to make sure the packet counts are correct to verify that.

* Note also that Snort usually doesn't block port 443 because the traffic is usually encrypted so no inspection.  If 
anything, Snort will whitelist that traffic, meaning don't inspect it.  Check for whitelist counts in the shutdown / 
usr1 data.  Try disabling ssl to see if there is any change.

* However, it really seems like there is something else like a firewall blocking port 443.

Can you run that fetch command on a snort in-line setup that you might have?

...
Result=0x00000000

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 15)
- Message not available
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 15)
    - Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 15)