[Snort-users] (no subject)

Joel Esler joel.esler at ...1935...
Wed May 24 09:02:09 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Santi,

Perhaps I don't understand whats going on.  Your number of alerts
increases when speed increases?

Joel

Santi Benito wrote:
> Hello Joel, I could not respond you before because I have not been at
> home these days.
> My problem was that when my replaying rate from one computer to
> another grows the number of alerts pass from 740 at 20Mb/s to 745 at
> 30Mb/s.
> I am only using p2p.rules and bleeding's p2p rules also .
> I dont understand this issue.
> Another thing is, if it is normal that ethereal catches more p2p
> packets from one pcap file than snort.
> Thanks a lot.
> I think that you have the main configuration of my snort.conf file,no?
> I will be very pleased if you could help me.
> 
> Santi
> 
> On 5/20/06, Joel Esler <joel.esler at ...1935...> wrote:
> Maybe I lost the first email, so I can't find the problem, but what is
> the problem you are having?
> 
> Joel
> 
> Santi Benito wrote:
>> Thanks a lot Martin,but I think that I have the portscan preprocessor
>> disabled from the beginning. I do the probes with this preprocessor
>> configuration in snort.conf:
> 
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag2
>> preprocessor stream4: disable_evasion_alerts detect_scans
>> preprocessor stream4_reassemble
>> preprocessor rpc_decode: 111 32771
>> preprocessor bo
>> preprocessor telnet_decode
> 
>> I think that for my purpose, see how many alerts of only p2p traffic it
>> detects, I also could disable all the preprocessors, I also saw one
>> time that preprocessor http_inspect generated me a lot of alerts and I
>> disabled it.
>> So if have that configuration, and the problems continues existing,
>> what could be the cause?
>> My professor has told me to use tethereal,and it catches muck more
>> packets than snort, but at 50Mb/s begins dropping packets....so I
>> would like to solve the problem of snort, but I don`t know how.
> 
>> Thanks a lot, I expect no to have bored you.
> 
>> Santi
> 
> 
>> -------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services,
> security?
>> Get stuff done quickly with pre-integrated technology to make your job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdINkKbCSyXHckt4RAkVyAKCf02qqMDSwUXf2dXyTUFAFLgRbgQCeI/ay
XH8K58AdcJvzCTAjTmGD92k=
=zIZO
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list