[Snort-users] No TCP alerts, only UDP and ICMP

Y M snort at ...15979...
Mon Dec 10 13:19:49 EST 2012


Hi Shane,

No filters are being used at all.
Alerts on the reporting GUI were far less than expected and this raised some questions. My initial doubt was that the TCP traffic was filtered right before getting into the sensor. This was not the case as I was able to see all TCP traffic passing through by hocking another machine with wireshark to the link. Then I ran tcpdump from the sensor and sure enough it was reading the expected TCP traffic. Next step was to verify that Snort is actually seeing TCP traffic, which it is in verbose mode only. All works fine with ICMP and UDP including unified2/barnyard2, but not TCP.

Thanks.
YM
________________________________
From: Castle, Shane<mailto:scastle at ...14946...>
Sent: ‎12/‎10/‎2012 8:58 PM
To: Y M<mailto:snort at ...15979...>; Lay, James<mailto:james.lay at ...15009...>; snort-users at lists.sourceforge.net<mailto:snort-users at ...3893...t>
Subject: RE: [Snort-users] No TCP alerts, only UDP and ICMP

Was wondering - you wouldn't by chance be running with a filter via the "-F" runtime switch (or "config bpf_file" in snort.conf), would you?

--
Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Y M [mailto:snort at ...15979...]
Sent: Monday, December 10, 2012 10:29
To: Lay, James; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP

Hi Lay,

Sorry for my late reply. I wouldn't be able to provide a pcap file, at least for now.

However, I tried that in Snort, using the -K pcap (I also tried the -b switch) and read that through tcpdump, and I only got UDP packets, with some ICMPs. Running Snort in verbose mode shows that the majority of the traffic is in fact TCP.

Thanks.
YM
________________________________

From: Lay, James <mailto:james.lay at ...15009...>
Sent: ‎12/‎10/‎2012 7:14 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP



Got a small pcap you could share?



James



From: Y M [mailto:snort at ...15979...]
Sent: Monday, December 10, 2012 9:01 AM
To: Justin Knox
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP



Hi Justin,

Yes I did. I also tried/compared with previously working conf files, conf file in the tarball, and the conf  file from Snort labs but the behavior remained the same across all configurations.

Thanks.
YM

________________________________

From: Justin Knox <mailto:jknox at ...16001...>
Sent: ‎12/‎10/‎2012 6:49 PM
To: Y M <mailto:snort at ...15979...>
Cc: Marcos Rodriguez <mailto:marcos.e.rodriguez at ...11827...> ; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP

Hi YM,

have you verified that frag3 and stream5 are configured and enabled to support tcp?



-Justin



On Mon, Dec 10, 2012 at 10:23 AM, Y M <snort at ...15979...> wrote:

Hi Marcos,

Thanks for your reply. I did try with -k none as suggested and I'm getting the same results, no TCP alerts, just UDP and ICMP.

________________________________

From: Marcos Rodriguez <mailto:marcos.e.rodriguez at ...11827...>
Sent: 12/10/2012 5:50 PM
To: Y M <mailto:snort at ...15979...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP

Hi YM,

Could you try again by adding '-k none' please?


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121210/18f3c6ae/attachment.html>


More information about the Snort-users mailing list