[Snort-users] Quick questions about recieved packets

Murali Raju protocoljunkie at ...11827...
Wed Oct 26 06:39:29 EDT 2005


Hi Joesph,
Perhaps consider using a different libpcap if you are using Linux? -->
http://public.lanl.gov/cpw/

Cheers,

_Raju

On 10/26/05, Joseph Nicholson <wjnicholson at ...11827...> wrote:
>
> I was afraid of that.
>  I have snort plugged into a Cisco 3560G Switch on a mirrored port. I am
> mirroring 10 other ports on the switch currently. This is my core switch and
> brings about 5 different network segments together. I am using the Official
> Snort Rules and the Bleeding Snort Rules. Snort is setup to kick out the
> Alerts via Syslog. The local Syslog function in Linux is setup to send the
> Alerts to a Syslog appliance that parses all of my logs for me.
>  For testing I setup Snort to output Alerts via unified logging and that
> didn't help any. I currently have both Tx and Rx being mirrored to my
> monitoring port. I tried just Tx and just Rx and got the same result. The
> monitor port is a Gigabit port and the monitoring ethernet port is running
> at a Gigabit also. On the linux appliance that port is running in
> promiscuous mode and has no IP. I have a management interface on the box
> also that I use to send the syslog files across and that I log into to
> manage the box.
>  Any thoughts or suggestions would be appreciated. This is the first
> production Sensor I have setup. All my testing sensors apparently didn't
> have enough traffic being pushed at them.
>
>  On 10/26/05, Richard Bejtlich <taosecurity at ...11827...> wrote:
> >
> > Joseph Nicholson wrote:
> >
> > >I see that snort dropped 179457 packets because it couldn't process
> > them.
> > > Snort received 186246 packets
> > > Analyzed: 6789(3.645%)
> > > Dropped: 179457(96.355%)
> > > My gut instinct is telling me that it dropped 179457 packets because
> > it
> > > felt there was no threat from them and that the 6789 it analyzed
> > looked
> > > suspicious.
> >
> > Hi Joseph,
> >
> > You have a serious problem with your Snort deployment. The packets
> > Snort dropped were never inspected, period.
> >
> > Can you describe your configuration? Are you sending Snort alerts
> > directly to a database, without Barnyard? Are you running any odd
> > rules?
> >
> > Sincerely,
> >
> > Richard
> > http://www.taosecurity.com
> >
>
>
>
> --
> Joseph Nicholson




--
May the packets be with you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051026/459f9a38/attachment.html>


More information about the Snort-users mailing list