[Snort-users] Stream4 and other stuff

Phil Wood cpw at ...440...
Fri Jun 29 15:53:03 EDT 2001


Marty,

I'm getting extreme packet loss using Version 1.8-beta8 (Build 33).

Snort received 242899 packets and dropped 3692706(93.828%) packets

Breakdown by protocol:                Action Stats:
TCP: 233890     (5.943%)          ALERTS: 203
UDP: 7435       (0.189%)          LOGGED: 203
ICMP: 762        (0.019%)          PASSED: 4900
ARP: 0          (0.000%)
IPv6: 0          (0.000%)

Running a tcpdump is clean (at a different time but with similar
load), no packets dropped.  

LogMessage was called 9058 times prior to this with the message

  WARNING: Fishy TWH from client!

Is there a way to identify the fishy client with some S:s->D:d in the
message.

I'm running these preprocessors:

preprocessor defrag
preprocessor stream4
preprocessor stream4_reassemble
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $INTERNAL 5 3 $LOG/$SCAN
preprocessor portscan-ignorehosts: $IGNOREHOSTS

Thanks,

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list