[Snort-users] some packets not seen?

Siim Põder siim at ...14209...
Mon Sep 15 11:47:09 EDT 2008


Hi.

I have a problem that some/all/most packets are not seen by my rules. In
order to show the problem, I made the conf as simple as possible (2.8.3)

# dirs
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so

# output
output alert_syslog: LOG_AUTH LOG_ALERT
include ruleset.conf

and only this rule:
alert tcp SRCIP any -> DSTIP DSTPORT (msg:"packet detected"; sid:33001;
gid:1; rev:1; )

When i initiate connection from SRCIP to DSTIP:DSTPORT, only one alert
is generated. from this simplistic configuration i would expect one
alert per packet (syn, ack, push, fin, ack), but only the first syn
seems to be seen (or maybe the first ack):

Sep 15 11:45:54 box snort[20223]: [1:33001:1] packet detected {TCP}
SRCIP:52626 -> DSTIP:DSTPORT

I'm not sure if it should make any difference, but the connections are
initiated from the machine running snort in this case (its an 64bit
machine, if it makes a difference).

My question is, shouldn't I see all the packets (in 1 direction)
generating alerts in this case? If not, why? How can I make sure that a
rule gets all the data sent?

I stumbled on this problem (or misunderstanding from my part) while
debugging a dynamic rule that wasn't alerting on data sent from local
machine, only for the payload coming from remote machines.

Siim




More information about the Snort-users mailing list