[Snort-users] Snort is not seeing all traffic...

Joesph Bowling joeybowling at ...125...
Fri May 9 15:36:08 EDT 2003


logging in binary to a file is much quicker than AscII.

What you can do is have snort write binary to a file and then run that file 
through the snort and have log it/ view it any way you want

and that way it keeps the load off your PC....but depending on your hardware 
and traffic.. you could have snort alert and log binary at the same time and 
be ok ?

Not to sure..im new to this as well

Maybe some here who is more experienced can show some vialbe setup scenarios 
with the pros and cons of each

anyone ??    :)

Thanks

Joe


>From: PJ-ML <p.jones.ml at ...8985...>
>To: "Joesph Bowling" <joeybowling at ...125...>,mkettler at ...4108..., 
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Snort is not seeing all traffic...
>Date: Fri, 09 May 2003 09:38:37 -0400
>
>Thanks! Where would I get the book you referenced? Anyone?
>I also wanted to point out that I have only 1 output which is to mysql. I 
>have the preprocessors that are set by default...are there one better than 
>others? As for Rule set, I am assuming that I need to tune that based on 
>what I am concerned about? Binary mode logging? Not sure about that...If I 
>log in binary mode, can snort still be effective(Sorry if dumb question)?
>
>Thanks for all the help so far in getting my snort to...well... snort.
>
>~PJ
>
>
>At 10:15 PM 5/8/2003, Joesph Bowling wrote:
>>Per the Snort book from the IDS Sans course
>>
>>Faster Snort performance:   pg 167
>>
>>
>>Binary mod logging
>>
>>reduced rule set
>>
>>Conservative settings for preprocessors
>>
>>limited number of output plugins
>>
>>NO screen printing, NO AscII logging
>>
>>
>>>From: PJ-ML <p.jones.ml at ...8985...>
>>>To: Matt Kettler <mkettler at ...4108...>,snort-users at lists.sourceforge.net
>>>Subject: Re: [Snort-users] Snort is not seeing all traffic...
>>>Date: Thu, 08 May 2003 21:42:44 -0400
>>>
>>>Thanks, VERY effective. I saw all the packets to the specific 
>>>host...10167 packets received by filter, 2037 packets dropped by kernel. 
>>>So it is seeing traffic to those "servers" that I thought it could not 
>>>see before.
>>>
>>>With that said, I am thinking that either my IDS is too weak of a machine 
>>>and it is dropping packets (at the wrong time) because it can not handle 
>>>the load OR I have my snort configured incorrectly (which would not 
>>>surprise me).  I had someone use "Retina" to scan the host...from port 
>>>scan to http attacks and I saw those packets scrolling in my term as well 
>>>as when I was just using CIS-5.0.02 on those same hosts. Not sure what I 
>>>am doing incorrectly.
>>>
>>>~PJ
>>>
>>>
>>>
>>>>At 11:23 PM 5/7/2003 -0400, PJ-ML wrote:
>>>>>The ethernet link to hub and to other parts of the network are all 100. 
>>>>>Could it be the speed of the server? I am lost in fog. Not sure where 
>>>>>to go, I know that I must tune the server...but I do not know what to 
>>>>>tune if it is not seeing even purposeful exploits...I will be more than 
>>>>>happy
>>>>>to give any more info that anyone requires to help me figure this out 
>>>>>except for  the root password to my machine ;-)
>>>>
>>>>I'd first see if your snort box even has the packets sent to it, using 
>>>>the all-seeing tcpdump tool.
>>>>
>>>>run tcpdump -n -i (whatever interface) host (target of attack) and then 
>>>>re-run the attack.. does tcpdump spit out packets?
>>>>
>>>>As an example:
>>>>
>>>>snortbox # tcpdump -n -i eth0 host 10.1.1.1
>>>>
>>>>testbox # attack 10.1.1.1
>>>>
>>>>snortbox should have packets from the attack dump to the screen. Note 
>>>>that the only reason I added -n to the tcpdump commandline is to prevent 
>>>>tcpdump from spending a long time trying to do reverse DNS lookups. If 
>>>>there's no DNS available tcpdump can hold off printing packets to the 
>>>>screen for a shockingly long time.
>>>>
>>>
>>>
>>>
>>>-------------------------------------------------------
>>>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>>>The only event dedicated to issues related to Linux enterprise solutions
>>>www.enterpriselinuxforum.com
>>>
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>_________________________________________________________________
>>Protect your PC - get McAfee.com VirusScan Online
>>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>
>
>
>
>-------------------------------------------------------
>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>The only event dedicated to issues related to Linux enterprise solutions
>www.enterpriselinuxforum.com
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus





More information about the Snort-users mailing list