[Snort-users] Alerts not Detected during Import?

Dusty Hall halljer at ...8709...
Thu Jun 26 09:56:18 EDT 2003


  Thanks for the Enlightening Answer, it all makes sense now.  I guess
the only way to fix this is to change the output on Snort1 to point
directly to the DB server?


>>> Erek Adams <erek at ...950...> 6/26/2003 11:30:58 AM >>>
On Thu, 26 Jun 2003, Dusty Hall wrote:

> We are experiencing a problem with Snort not reporting Alerts that
> have in our rules files.  Here's some background:
> We copy our Snort tcpdump logs from our sniffer to our MySQL/ACID
> system and then import the tcpdump logs into ACID/MySQL.  From the
> of our alert files the Specific alerts were detected by our sniffer
> not by Snort on our DB box.  So what I'm trying to ask is, does the
> tcpdump log files from our sniffer box have all detected alerts in
> tcpdump format that were sniffed on the wire?  Is there enough
> information from the tcpdump files from our sniffer to process again
> pull out the same alerts?  Here's the steps we use: (Yes we have
> identicial rules on both systems and both have the same version of
> Snort.)

[...good info snipped...]

Yes, there is a reason.

It has to do with stream4.  stream4 looks at all the packets on the
and tracks state and streams.  snort1 has the view of the network,
snort2 only has the tcpdump file generated by snort1.  The tcpdump
_only_ has the packets that triggered the alert--Not the previous
which is what stream4 uses to track things.  So snort2 won't alert on
rule that has to do with 'flow'.

A quick bit of greping shows:

	[erek at ...3819...]/usr/local/build/cvs/snort/rules>wc -l *|tail -1
	3171 total
	[erek at ...3819...]/usr/local/build/cvs/snort/rules>grep -i flow
	| wc -l

So there's roughly half the rules that won't fire on snort2.  It's not
really a 'bug', it's just more a 'consequence'.

Hope that helps!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list