[Snort-users] No alerts

Bill McCarty bmccarty at ...5196...
Mon Mar 25 13:41:34 EST 2002


Here's the result of further testing, which leaves me still more puzzled:

Running snort 1.8.4 from the command line, omitting the -D option but 
otherwise using the options cited in my earlier posting, yields alerts. 
But, typing in all options -- incuding -D -- causes snort to omit writing 
alerts.

Also, running snort 1.8.4 with -D and (after a bit of time to let snort 
settle in) sending SIGUSR1 yields the following result:

Mar 25 13:25:49 ids snort: 
============================================================================
Mar 25 13:25:49 ids snort: Snort analyzed 18668 out of 0 packets,
Mar 25 13:25:49 ids snort: Breakdown by protocol:                Action 
Stats:
Mar 25 13:25:49 ids snort:     TCP: 9          (inf%)         ALERTS: 0
Mar 25 13:25:49 ids snort:     UDP: 18634      (inf%)         LOGGED: 18618
Mar 25 13:25:49 ids snort:    ICMP: 0          (0.000%)       PASSED: 0
Mar 25 13:25:49 ids snort:     ARP: 4          (inf%)
Mar 25 13:25:49 ids snort:    IPv6: 0          (0.000%)
Mar 25 13:25:49 ids snort:     IPX: 0          (0.000%)
Mar 25 13:25:49 ids snort:   OTHER: 21         (inf%)
Mar 25 13:25:49 ids snort: DISCARD: 0          (0.000%)
Mar 25 13:25:49 ids snort: 
============================================================================
Mar 25 13:25:49 ids snort: Fragmentation Stats:
Mar 25 13:25:49 ids snort: Fragmented IP Packets: 0          (0.000%)
Mar 25 13:25:49 ids snort:     Fragment Trackers: 0
Mar 25 13:25:49 ids snort:    Rebuilt IP Packets: 0
Mar 25 13:25:49 ids snort:    Frag elements used: 0
Mar 25 13:25:49 ids snort: Discarded(incomplete): 0
Mar 25 13:25:49 ids snort:    Discarded(timeout): 0
Mar 25 13:25:49 ids snort:   Frag2 memory faults: 0
Mar 25 13:25:49 ids snort: 
============================================================================
Mar 25 13:25:49 ids snort: TCP Stream Reassembly Stats:
Mar 25 13:25:49 ids snort:         TCP Packets Used: 9          (inf%)
Mar 25 13:25:49 ids snort:          Stream Trackers: 6
Mar 25 13:25:49 ids snort:           Stream flushes: 0
Mar 25 13:25:49 ids snort:            Segments used: 0
Mar 25 13:25:49 ids snort:    Stream4 Memory Faults: 0
Mar 25 13:25:49 ids snort: 
============================================================================

Something is up, because there's substantial TCP traffic on the network, 
notwithstading the counter suggesting only 9 TCP packets. Also, the 
statement that Snort has analyzed "18668 out of 0 packets" doesn't seem 
quite right.

So, I infer something's not quite right with 1.8.4. At least, not the way I 
built it <grin>.

---------------------------------------------------
Bill McCarty




More information about the Snort-users mailing list