[SPAM] - [Snort-users] Snort not logging all packets - Email found in subject

Marc Hering mhering at ...13116...
Mon Mar 7 12:13:28 EST 2005


Logging in /var/log/messages????  YOu may not want to do that. I log in
/var/log/sensorname/snort/    Also is your NIC card working ok?   and
what machine specs?
 

________________________________

From: sEc nErD [mailto:umkcguy1978 at ...131...] 
Sent: Monday, March 07, 2005 3:02 PM
To: Marc Hering; snort-users at lists.sourceforge.net
Subject: RE: [SPAM] - [Snort-users] Snort not logging all packets -
Email found in subject


I am logging snort in the /var/log/messages and also on a remote
security information management system like netforensics.
I can see some http insepct preprocessor messages but i know its missing
out on a lot of them.
below si the tcpdump output.
 
 
this is what i see when i do tcpdump
 
#tcpdump -i eth1

tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:08:26.965161 IP 12.40.44.251 > 69.151.58.226:
ESP(spi=0x96ebf27b,seq=0x503)
1 packets captured
670 packets received by filter
622 packets dropped by kernel

Marc Hering <mhering at ...13116...> wrote:

	Are you logging into the console? Or via an SSH session?

________________________________

	From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of sEc nErD
	Sent: Monday, March 07, 2005 2:41 PM
	To: snort-users at lists.sourceforge.net
	Subject: [SPAM] - [Snort-users] Snort not logging all packets -
Email found in subject
	
	

	Hi all,
	 
	I am runnning snort on a fedora box and i started with a doubt
that it is not logging all the packets.
	I checked it with tcp dump and when i stop tcpdump i see 90% of
the packets being dropped by the kernel.
	When i see /var/log/messages 
	i see the below error for both sniffing interfaces
	 
	OpenPcap() device eth0 network lookup:  ^Ieth0: no IPv4 address
assigned
	 
	I checked the version of libpcap running it is
	 " libpcap-0.8.3-3 "
	Output of # uname -a  

	Linux localhost.localdomain 2.6.5-1.358smp #1 SMP Sat May 8
09:25:36 EDT 2004 i686 i686 i386 GNU/Linux
	 
	If anybody could help me on this i would really appreciate it.
	thanks all,
	kaps
	
	
	

		 

	
________________________________

	Celebrate Yahoo!'s 10th Birthday! 
	Yahoo! Netrospective: 100 Moments of the Web
<http://birthday.yahoo.com/netrospective/>  

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050307/3421b1a7/attachment.html>


More information about the Snort-users mailing list