[Snort-users] No TCP alerts, only UDP and ICMP

Russ Combs rcombs at ...1935...
Tue Dec 11 09:38:57 EST 2012


Lots of good ideas but we really need more data.  Please run Snort and
capture all output, including shutdown stats, to a file and send that.  If
you run from command line, just redirect stderr to a file.

On Tue, Dec 11, 2012 at 5:15 AM, Peter Bates <peter.bates at ...15381...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 10/12/2012 19:15, Y M wrote:
> > Snort statistics, some of it at least:
> >
> > ICMP: 0.186%
> > UDP: 17.929%
> > TCP: 48.667%
> > Dropped: 0
> > Analyzed: 247964 (100%)
>
> It's a long shot, but I have seen this on a sensor
> that was only receiving one side of conversations due
> to a misconfiguration on the SPAN side (not all VLANs had been added
> to the monitoring session for in/out).
>
> The ICMP and UDP rules (particularly things like ZeroAccess) will always
> hit if you're seeing outbound only but the TCP rules that track state
> (using flowbits) will obviously never alert.
>
> It might be worth looking at a tcpdump from a specific source/destination
> just to confirm you are seeing outbound and inbound.
>
> - --
> Peter Bates
> Senior Information Security Officer   Phone: +44(0)2076792049
> Information Services Division         Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJQxwfdAAoJELhVoVpEMS6RAQsH/jz9hN/HL9MmJmAMi9yAlbZH
> 6TKx5TbXMy9wlxhcjYMiRiAlPad2mM1dEkr7JFVJoRmD6XTjtrZjWPG6Ybbkz4yI
> BTOdILXG4safHgg3kOkBKCAJTWzbRwUBC/MTv9cnk35GLT4XirjtUzJ+vjb4n/sH
> 0gdhwpspMCg7PE3UWUz3prQzIc8rzt4P0ZdOpr2ItnMc+9TxoN6lfhZ8b7R15Wmn
> zuTEzJqPAcI2K1Zak4dvkf4+XvdljdEFoF0li/RJXSvySb0x4nmTqGnY5vPD1vzQ
> 0gRlF+DqDVMpA2l5x50d8a02AmmK4IvUECL+db2+Ke9O2IVSAcV91yZpzNB/eZY=
> =tMDa
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121211/e6e4fe3d/attachment.html>


More information about the Snort-users mailing list