[Snort-users] Snort is not seeing all traffic...
mkettler at ...4108...
Thu May 8 18:49:08 EDT 2003
At 11:23 PM 5/7/2003 -0400, PJ-ML wrote:
>The ethernet link to hub and to other parts of the network are all 100.
>Could it be the speed of the server? I am lost in fog. Not sure where to
>go, I know that I must tune the server...but I do not know what to tune if
>it is not seeing even purposeful exploits...I will be more than happy to
>give any more info that anyone requires to help me figure this out except
>for the root password to my machine ;-)
I'd first see if your snort box even has the packets sent to it, using the
all-seeing tcpdump tool.
run tcpdump -n -i (whatever interface) host (target of attack) and then
re-run the attack.. does tcpdump spit out packets?
As an example:
snortbox # tcpdump -n -i eth0 host 10.1.1.1
testbox # attack 10.1.1.1
snortbox should have packets from the attack dump to the screen. Note that
the only reason I added -n to the tcpdump commandline is to prevent tcpdump
from spending a long time trying to do reverse DNS lookups. If there's no
DNS available tcpdump can hold off printing packets to the screen for a
shockingly long time.
More information about the Snort-users