[Snort-users] Snort is not seeing all traffic...
joeybowling at ...125...
Fri May 9 15:36:08 EDT 2003
logging in binary to a file is much quicker than AscII.
What you can do is have snort write binary to a file and then run that file
through the snort and have log it/ view it any way you want
and that way it keeps the load off your PC....but depending on your hardware
and traffic.. you could have snort alert and log binary at the same time and
be ok ?
Not to sure..im new to this as well
Maybe some here who is more experienced can show some vialbe setup scenarios
with the pros and cons of each
anyone ?? :)
>From: PJ-ML <p.jones.ml at ...8985...>
>To: "Joesph Bowling" <joeybowling at ...125...>,mkettler at ...4108...,
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Snort is not seeing all traffic...
>Date: Fri, 09 May 2003 09:38:37 -0400
>Thanks! Where would I get the book you referenced? Anyone?
>I also wanted to point out that I have only 1 output which is to mysql. I
>have the preprocessors that are set by default...are there one better than
>others? As for Rule set, I am assuming that I need to tune that based on
>what I am concerned about? Binary mode logging? Not sure about that...If I
>log in binary mode, can snort still be effective(Sorry if dumb question)?
>Thanks for all the help so far in getting my snort to...well... snort.
>At 10:15 PM 5/8/2003, Joesph Bowling wrote:
>>Per the Snort book from the IDS Sans course
>>Faster Snort performance: pg 167
>>Binary mod logging
>>reduced rule set
>>Conservative settings for preprocessors
>>limited number of output plugins
>>NO screen printing, NO AscII logging
>>>From: PJ-ML <p.jones.ml at ...8985...>
>>>To: Matt Kettler <mkettler at ...4108...>,snort-users at lists.sourceforge.net
>>>Subject: Re: [Snort-users] Snort is not seeing all traffic...
>>>Date: Thu, 08 May 2003 21:42:44 -0400
>>>Thanks, VERY effective. I saw all the packets to the specific
>>>host...10167 packets received by filter, 2037 packets dropped by kernel.
>>>So it is seeing traffic to those "servers" that I thought it could not
>>>With that said, I am thinking that either my IDS is too weak of a machine
>>>and it is dropping packets (at the wrong time) because it can not handle
>>>the load OR I have my snort configured incorrectly (which would not
>>>surprise me). I had someone use "Retina" to scan the host...from port
>>>scan to http attacks and I saw those packets scrolling in my term as well
>>>as when I was just using CIS-5.0.02 on those same hosts. Not sure what I
>>>am doing incorrectly.
>>>>At 11:23 PM 5/7/2003 -0400, PJ-ML wrote:
>>>>>The ethernet link to hub and to other parts of the network are all 100.
>>>>>Could it be the speed of the server? I am lost in fog. Not sure where
>>>>>to go, I know that I must tune the server...but I do not know what to
>>>>>tune if it is not seeing even purposeful exploits...I will be more than
>>>>>to give any more info that anyone requires to help me figure this out
>>>>>except for the root password to my machine ;-)
>>>>I'd first see if your snort box even has the packets sent to it, using
>>>>the all-seeing tcpdump tool.
>>>>run tcpdump -n -i (whatever interface) host (target of attack) and then
>>>>re-run the attack.. does tcpdump spit out packets?
>>>>As an example:
>>>>snortbox # tcpdump -n -i eth0 host 10.1.1.1
>>>>testbox # attack 10.1.1.1
>>>>snortbox should have packets from the attack dump to the screen. Note
>>>>that the only reason I added -n to the tcpdump commandline is to prevent
>>>>tcpdump from spending a long time trying to do reverse DNS lookups. If
>>>>there's no DNS available tcpdump can hold off printing packets to the
>>>>screen for a shockingly long time.
>>>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>>>The only event dedicated to issues related to Linux enterprise solutions
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>Snort-users list archive:
>>Protect your PC - get McAfee.com VirusScan Online
>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>The only event dedicated to issues related to Linux enterprise solutions
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
More information about the Snort-users