[Snort-users] No TCP alerts, only UDP and ICMP
peter.bates at ...15381...
Tue Dec 11 05:15:57 EST 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 10/12/2012 19:15, Y M wrote:
> Snort statistics, some of it at least:
> ICMP: 0.186%
> UDP: 17.929%
> TCP: 48.667%
> Dropped: 0
> Analyzed: 247964 (100%)
It's a long shot, but I have seen this on a sensor
that was only receiving one side of conversations due
to a misconfiguration on the SPAN side (not all VLANs had been added
to the monitoring session for in/out).
The ICMP and UDP rules (particularly things like ZeroAccess) will always
hit if you're seeing outbound only but the TCP rules that track state
(using flowbits) will obviously never alert.
It might be worth looking at a tcpdump from a specific source/destination
just to confirm you are seeing outbound and inbound.
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users