[Snort-users] Snort is not seeing all traffic...

PJ-ML p.jones.ml at ...8985...
Fri May 9 06:39:10 EDT 2003

Thanks! Where would I get the book you referenced? Anyone?
I also wanted to point out that I have only 1 output which is to mysql. I 
have the preprocessors that are set by default...are there one better than 
others? As for Rule set, I am assuming that I need to tune that based on 
what I am concerned about? Binary mode logging? Not sure about that...If I 
log in binary mode, can snort still be effective(Sorry if dumb question)?

Thanks for all the help so far in getting my snort to...well... snort.


At 10:15 PM 5/8/2003, Joesph Bowling wrote:
>Per the Snort book from the IDS Sans course
>Faster Snort performance:   pg 167
>Binary mod logging
>reduced rule set
>Conservative settings for preprocessors
>limited number of output plugins
>NO screen printing, NO AscII logging
>>From: PJ-ML <p.jones.ml at ...8985...>
>>To: Matt Kettler <mkettler at ...4108...>,snort-users at lists.sourceforge.net
>>Subject: Re: [Snort-users] Snort is not seeing all traffic...
>>Date: Thu, 08 May 2003 21:42:44 -0400
>>Thanks, VERY effective. I saw all the packets to the specific 
>>host...10167 packets received by filter, 2037 packets dropped by kernel. 
>>So it is seeing traffic to those "servers" that I thought it could not 
>>see before.
>>With that said, I am thinking that either my IDS is too weak of a machine 
>>and it is dropping packets (at the wrong time) because it can not handle 
>>the load OR I have my snort configured incorrectly (which would not 
>>surprise me).  I had someone use "Retina" to scan the host...from port 
>>scan to http attacks and I saw those packets scrolling in my term as well 
>>as when I was just using CIS-5.0.02 on those same hosts. Not sure what I 
>>am doing incorrectly.
>>>At 11:23 PM 5/7/2003 -0400, PJ-ML wrote:
>>>>The ethernet link to hub and to other parts of the network are all 100. 
>>>>Could it be the speed of the server? I am lost in fog. Not sure where 
>>>>to go, I know that I must tune the server...but I do not know what to 
>>>>tune if it is not seeing even purposeful exploits...I will be more than happy
>>>>to give any more info that anyone requires to help me figure this out 
>>>>except for  the root password to my machine ;-)
>>>I'd first see if your snort box even has the packets sent to it, using 
>>>the all-seeing tcpdump tool.
>>>run tcpdump -n -i (whatever interface) host (target of attack) and then 
>>>re-run the attack.. does tcpdump spit out packets?
>>>As an example:
>>>snortbox # tcpdump -n -i eth0 host
>>>testbox # attack
>>>snortbox should have packets from the attack dump to the screen. Note 
>>>that the only reason I added -n to the tcpdump commandline is to prevent 
>>>tcpdump from spending a long time trying to do reverse DNS lookups. If 
>>>there's no DNS available tcpdump can hold off printing packets to the 
>>>screen for a shockingly long time.
>>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>>The only event dedicated to issues related to Linux enterprise solutions
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:
>Protect your PC - get McAfee.com VirusScan Online

More information about the Snort-users mailing list