[Snort-users] Upgrade from 2.5.8.1 to 2.8.6 and no alerts!

rmkml rmkml at ...953...
Tue Apr 27 13:09:53 EDT 2010


and warn snort users: v2.8.6(.0) enabled checksum on default snort.conf like this:
  config checksum_mode: all
Happy Detect with Snort/Bro/Suricata/Azwalaro
Rmkml


On Tue, 27 Apr 2010, Ryan Jordan wrote:

> 98% of your traffic has invalid checksums. Snort discards this traffic
> unless you run with "-k none" in your command-line options.
>
> On Tue, Apr 27, 2010 at 1:29 PM, Chambers, Richard A.
> (LARC-B703)[RAYTHEON TECHNICAL SERVICES COMPANY]
> <richard.a.chambers at ...57...> wrote:
>> Guys,
>>   Currently running version 2.8.5.1 with no issues.  Got the source code today for 2.8.6 - configed/compiled as before but seem to be having issues.  It launches with no errors but doesn't generate any alerts:
>>
>> Apr 27 13:14:18 feign snort[14491]: Packet Wire Totals:
>> Apr 27 13:14:18 feign snort[14491]:    Received:      5887624
>> Apr 27 13:14:18 feign snort[14491]:    Analyzed:      5825494 (98.945%)
>> Apr 27 13:14:18 feign snort[14491]:     Dropped:        62115 (1.055%)
>> Apr 27 13:14:18 feign snort[14491]: Outstanding:           15 (0.000%)
>> Apr 27 13:14:18 feign snort[14491]: ===============================================================================
>> Apr 27 13:14:18 feign snort[14491]: Breakdown by protocol (includes rebuilt packets):
>> Apr 27 13:14:18 feign snort[14491]:       ETH: 5825642    (100.000%)
>> Apr 27 13:14:18 feign snort[14491]:   ETHdisc: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:      VLAN: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:      IPV6: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:   IP6 EXT: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:   IP6opts: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:   IP6disc: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:       IP4: 5825642    (100.000%)
>> Apr 27 13:14:18 feign snort[14491]:   IP4disc: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:     TCP 6: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:     UDP 6: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:     ICMP6: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:   ICMP-IP: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:       TCP: 5715187    (98.104%)
>> Apr 27 13:14:18 feign snort[14491]:       UDP: 97763      (1.678%)
>> Apr 27 13:14:18 feign snort[14491]:      ICMP: 3409       (0.059%)
>> Apr 27 13:14:18 feign snort[14491]:   TCPdisc: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:   UDPdisc: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:   ICMPdis: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:      FRAG: 296        (0.005%)
>> Apr 27 13:14:18 feign snort[14491]:    FRAG 6: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:       ARP: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:     EAPOL: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:   ETHLOOP: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:       IPX: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:     OTHER: 8999       (0.154%)
>> Apr 27 13:14:18 feign snort[14491]:   DISCARD: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]: InvChkSum: 5715187    (98.104%)
>> Apr 27 13:14:18 feign snort[14491]:    S5 G 1: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:    S5 G 2: 0          (0.000%)
>> Apr 27 13:14:18 feign snort[14491]:     Total: 5825642
>> Apr 27 13:14:18 feign snort[14491]: ===============================================================================
>> Apr 27 13:14:18 feign snort[14491]: Action Stats:
>> Apr 27 13:14:18 feign snort[14491]: ALERTS: 0
>> Apr 27 13:14:18 feign snort[14491]: LOGGED: 0
>> Apr 27 13:14:18 feign snort[14491]: PASSED: 5262
>> Apr 27 13:14:18 feign snort[14491]: ===============================================================================
>> Apr 27 13:14:18 feign snort[14491]: Frag3 statistics:
>> Apr 27 13:14:18 feign snort[14491]:         Total Fragments: 296
>> Apr 27 13:14:18 feign snort[14491]:       Frags Reassembled: 148
>> Apr 27 13:14:18 feign snort[14491]:                Discards: 0
>> Apr 27 13:14:18 feign snort[14491]:           Memory Faults: 0
>> Apr 27 13:14:18 feign snort[14491]:                Timeouts: 0
>> Apr 27 13:14:18 feign snort[14491]:                Overlaps: 0
>> Apr 27 13:14:18 feign snort[14491]:               Anomalies: 0
>> Apr 27 13:14:18 feign snort[14491]:                  Alerts: 0
>> Apr 27 13:14:18 feign snort[14491]:                   Drops: 0
>> Apr 27 13:14:18 feign snort[14491]:      FragTrackers Added: 148
>> Apr 27 13:14:18 feign snort[14491]:     FragTrackers Dumped: 148
>> Apr 27 13:14:18 feign snort[14491]: FragTrackers Auto Freed: 0
>>
>> Any thoughts?
>>
>> Thanks
>>
>> Richard A. Chambers
>> IT Security
>> Raytheon, ConITS
>> Richard.A.Chambers at ...57...
>> 757-864-5080
>> ----
>> IT Security
>> itsecurity at ...4552...
>> 757-864-4200
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


More information about the Snort-users mailing list