[Snort-devel] Re: [Snort-users] snort-1.9.0 is released!

jsp1999 at ...578... jsp1999 at ...578...
Sun Oct 6 18:22:03 EDT 2002


Hi Chris

- the decoder creates alerts for packets it doesn't understand ( save
  this and submit them as BUGS or events )
   config disable_decode_alerts to disable this feature

This doesn't seem to work. 
config does not exist, therefore I assumed to use the command

  ./configure disable_decode_alerts

But during the configuration process I got:

Invalid configuration `disable_decode_alerts`: machine
`disable_decode_alerts` not recognized

I read the --help option anf modified the command:

./configure --disable-decode_alerts

This didn't complain.

When running make, nothing had to be recompiled.

I also have some problems with the number of packets.
I turned off all the plugins and preprocessors and analyzed 200 000 packets

As output I
got:
===============================================================================
Snort analyzed 200015 out of 292588 packets, dropping 92573(31.639%) packets

Breakdown by protocol:                Action Stats:
    TCP: 98309      (33.600%)         ALERTS: 86
    UDP: 1647       (0.563%)          LOGGED: 86
   ICMP: 168        (0.057%)          PASSED: 0
    ARP: 1890       (0.646%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 1517       (0.518%)
  OTHER: 3911       (1.337%)
DISCARD: 0         
(0.000%)
===============================================================================
Wireless Stats:
Breakdown by type:
    Management Packets: 0          (0.000%)
    Control Packets:    0          (0.000%)
    Data Packets:       0         
(0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults:
0
===============================================================================
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0
          Stream flushes: 0
           Segments used: 0
   Stream4 Memory Faults:
0
===============================================================================
Snort received signal 2, exiting


When running Snort-NG-1.8.7 or Snort-1.8.7 I get the following information:

Snort analyzed 158559 out of 200018 packets, The kernel dropped
41459(20.728%) packets

Breakdown by protocol:                Action Stats:
    TCP: 143665     (71.826%)         ALERTS: 160
    UDP: 2556       (1.278%)          LOGGED: 160
   ICMP: 219        (0.109%)          PASSED: 0
    ARP: 2657       (1.328%)
   IPv6: 0          (0.000%)
    IPX: 3115       (1.557%)
  OTHER: 6347       (3.173%)
DISCARD: 0         
(0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults:
0
===============================================================================
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0
          Stream flushes: 0
           Segments used: 0
   Stream4 Memory Faults:
0
===============================================================================
Snort received signal 2, exiting



Both tests have been performed in the same subnet, only two machines
attached to it, no traffic being generated.

So might there be a bug in the packet count?

Regards,
Jasper

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Günstige DSL- & Modem/ISDN-Tarife!





More information about the Snort-devel mailing list