[Snort-users] Packet Payload not appearing for internal traffic.

Susan Kay Coulter skc at ...440...
Fri Oct 5 09:42:04 EDT 2001


You didn't mention which database you're using, or the snaplen ... but, I found
that there is a very real limitation with mysql - depending on what OS and how
it's configured.  mysql tables have an upper limit of whatever the max file
size is on your box.  The 'data' table (which contains the payload) usually
fills up first.  This does not always cause snort or mysql to fail ... it just
stops writing payload to the 'data' table.   This could be your situation -
especially since you set up a rule that would trigger for every TCP packet that
crossed your sensor.

> Message: 4
> From: "Grimes, Shawn (NIA/IRP)" <GrimesSh at ...3368...>
> To: "'snort-users at lists.sourceforge.net'"
> 	 <snort-users at lists.sourceforge.net>
> Date: Thu, 4 Oct 2001 17:16:36 -0400 
> Subject: [Snort-users] Packet Payload not appearing for internal traffic...
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> It seems my snort is not viewing the packet payload of outboung
> traffic. I have two rules setup to monitor for code red/nimba related
> activity. One for attacks against us and another for us attacking
> other sites (meaning we got infected somewhere). The incoming attacks
> rule works great, the outgoing doesn't work at all. here are my
> rules: 
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Cmd.exe attempt
> against us"; content:"cmd.exe";nocase;)
> alert tcp $HOME_NET any -> any 80 (msg:"Cmd.exe attempt from us";
> content:"cmd.exe";nocase;)
> Again, incoming works great, I can see every box that trys to access
> cmd.exe on one of our local computers.
> Outgoing however, if I type in a web address say:
> http://www.google.com/cmd.exe . I don't get the alert I'm supposed
> to. I set up a rule for:
> alert tcp any any -> any any (msg: "Flood of traffic";) and I got
> several allerts but when I went into the detailed view in Acid of the
> alert, the packet payload was empty. Any ideas? 
> 
> TIA,
> Shawn
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
> 
> iQA/AwUBO7zRs9uEKqGIN9SBEQKoQgCeJ7yP9XfX1SPHf9KNljRU1zVlIBgAoL1A
> rFP7KTSpYINqAxp+lLyld4CO
> =1Vt/
> -----END PGP SIGNATURE-----
> 
> 

-- 
Susan Coulter
Network Security Team
CCN-5 Network Engineering
Los Alamos National Laboratory
voice: (505) 667-8425
fax:   (505) 665-7793




More information about the Snort-users mailing list