[Snort-users] Quick questions about recieved packets

Richard Bejtlich taosecurity at ...11827...
Wed Oct 26 04:13:36 EDT 2005


Joseph Nicholson wrote:

>I see that snort dropped 179457 packets because it couldn't process them.
> Snort received 186246 packets
> Analyzed: 6789(3.645%)
> Dropped: 179457(96.355%)
> My gut instinct is telling me that it dropped 179457 packets because it
> felt there was no threat from them and that the 6789 it analyzed looked
> suspicious.

Hi Joseph,

You have a serious problem with your Snort deployment.  The packets
Snort dropped were never inspected, period.

Can you describe your configuration?  Are you sending Snort alerts
directly to a database, without Barnyard?  Are you running any odd
rules?

Sincerely,

Richard
http://www.taosecurity.com




More information about the Snort-users mailing list