[Snort-users] No TCP alerts, only UDP and ICMP

Peter Bates peter.bates at ...15381...
Tue Dec 11 05:15:57 EST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 10/12/2012 19:15, Y M wrote:
> Snort statistics, some of it at least:
> 
> ICMP: 0.186%
> UDP: 17.929%
> TCP: 48.667%
> Dropped: 0
> Analyzed: 247964 (100%)

It's a long shot, but I have seen this on a sensor
that was only receiving one side of conversations due
to a misconfiguration on the SPAN side (not all VLANs had been added
to the monitoring session for in/out).

The ICMP and UDP rules (particularly things like ZeroAccess) will always
hit if you're seeing outbound only but the TCP rules that track state
(using flowbits) will obviously never alert.

It might be worth looking at a tcpdump from a specific source/destination
just to confirm you are seeing outbound and inbound.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJQxwfdAAoJELhVoVpEMS6RAQsH/jz9hN/HL9MmJmAMi9yAlbZH
6TKx5TbXMy9wlxhcjYMiRiAlPad2mM1dEkr7JFVJoRmD6XTjtrZjWPG6Ybbkz4yI
BTOdILXG4safHgg3kOkBKCAJTWzbRwUBC/MTv9cnk35GLT4XirjtUzJ+vjb4n/sH
0gdhwpspMCg7PE3UWUz3prQzIc8rzt4P0ZdOpr2ItnMc+9TxoN6lfhZ8b7R15Wmn
zuTEzJqPAcI2K1Zak4dvkf4+XvdljdEFoF0li/RJXSvySb0x4nmTqGnY5vPD1vzQ
0gRlF+DqDVMpA2l5x50d8a02AmmK4IvUECL+db2+Ke9O2IVSAcV91yZpzNB/eZY=
=tMDa
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list