AW: [Snort-users] Snort & multi-port ethernet cards -- PART II

Poppi, Sandro Sandro.Poppi at ...3316...
Sat Jun 22 05:03:02 EDT 2002


Tom,

did you have a look on snort's output when sending SIGUSR1 to all the snort
processes (killall -SIGUSR1 snort) and made sure you're not dropping
packets?

This shouldn't be an issue on your box but maybe true if the box is defined
to do more than snorting (I had that same issue when installed snort and
MySQL and ACID alltogether on a highly saturated segment with an old pc).

Just a thought.

Cheers,
Sandro
> 
> Thanks very much to Eric, Sandro, Keith, and Vjay for their responses.
> 
> +++++++++++++++++++++++++++++++++++++++++++++
> 
> I've checked the logs, etc.  The three i/faces that are 
> active on the quad
> card do see traffic, but not all the traffic.
> 
> For example, I am snorting two internal segments.  When an alert is
> generated for an event that happens in segment 1 (on eth1), 
> and the other
> end of that event is in segment 3 (on eth3), both sensors 
> should report the
> event.  This happens sometimes and at times is does not.  I have one
> instance of this event firing where it is seen by both 
> sensors, and then I
> have one that was seen only by one of the sensors.  Same 
> src/dst IP in both
> cases. The event in question is "ATTACK RESPONSES id check 
> returned root"
> when a Unix admin in seg 1 connects to a Unix server in seg 3.
> 
> Again, running on RH 7.3, Compaq Proliant 1600, 2 x PIII 500, 
> 512m ram....
> Decent box.
> 
> And also, on eth 1 & on eth 3, I have a filter set on the 
> snort command
> line:
> 
>   eth1  not (src net seg1 and dst net seg1)   # ignore 
> traffic that is local
> to this segment
>   eth3  not (src net seg3 and dst net seg3)   # ignore 
> traffic that is local
> to this segment
> 
> So as to pick up only traffic that is from/to a different 
> segment....  I am
> running snort 1.8.6 bld 105...  [eth1, eth3] are in home_net
> 
> +++++++++++++++++++++++++
> 
> # snort -V
> 
> -*> Snort! <*-
> Version 1.8.6 (Build 105)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 
> 
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list