[Snort-users] Snort is not seeing all traffic...
p.jones.ml at ...8985...
Fri May 9 12:33:08 EDT 2003
Ok, read the user manual for 2.0 and I have question pertaining to the
advice below and the manual. Can I run "snort -b -A fast -c snort.conf" AND
have a another (at the same time) "snort -d -c snort.conf -h 10.25.1.0/24
What I THINK I am attempting is to have one snort dump the binary, thus not
dropping any packets AND having another snort go through the binary and
output to a database the alerts...
What do you guys think?
Thanks in advance (again and again and again ... :-) )...
At 10:15 PM 5/8/2003, Joesph Bowling wrote:
>Per the Snort book from the IDS Sans course
>Faster Snort performance: pg 167
>Binary mod logging
>reduced rule set
>Conservative settings for preprocessors
>limited number of output plugins
>NO screen printing, NO AscII logging
>>From: PJ-ML <p.jones.ml at ...8985...>
>>To: Matt Kettler <mkettler at ...4108...>,snort-users at lists.sourceforge.net
>>Subject: Re: [Snort-users] Snort is not seeing all traffic...
>>Date: Thu, 08 May 2003 21:42:44 -0400
>>Thanks, VERY effective. I saw all the packets to the specific
>>host...10167 packets received by filter, 2037 packets dropped by kernel.
>>So it is seeing traffic to those "servers" that I thought it could not
>>With that said, I am thinking that either my IDS is too weak of a machine
>>and it is dropping packets (at the wrong time) because it can not handle
>>the load OR I have my snort configured incorrectly (which would not
>>surprise me). I had someone use "Retina" to scan the host...from port
>>scan to http attacks and I saw those packets scrolling in my term as well
>>as when I was just using CIS-5.0.02 on those same hosts. Not sure what I
>>am doing incorrectly.
>>>At 11:23 PM 5/7/2003 -0400, PJ-ML wrote:
>>>>The ethernet link to hub and to other parts of the network are all 100.
>>>>Could it be the speed of the server? I am lost in fog. Not sure where
>>>>to go, I know that I must tune the server...but I do not know what to
>>>>tune if it is not seeing even purposeful exploits...I will be more than happy
>>>>to give any more info that anyone requires to help me figure this out
>>>>except for the root password to my machine ;-)
>>>I'd first see if your snort box even has the packets sent to it, using
>>>the all-seeing tcpdump tool.
>>>run tcpdump -n -i (whatever interface) host (target of attack) and then
>>>re-run the attack.. does tcpdump spit out packets?
>>>As an example:
>>>snortbox # tcpdump -n -i eth0 host 10.1.1.1
>>>testbox # attack 10.1.1.1
>>>snortbox should have packets from the attack dump to the screen. Note
>>>that the only reason I added -n to the tcpdump commandline is to prevent
>>>tcpdump from spending a long time trying to do reverse DNS lookups. If
>>>there's no DNS available tcpdump can hold off printing packets to the
>>>screen for a shockingly long time.
>>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>>The only event dedicated to issues related to Linux enterprise solutions
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:
>Protect your PC - get McAfee.com VirusScan Online
More information about the Snort-users