[Snort-users] No TCP alerts, only UDP and ICMP
Y M
snort at ...15979...
Tue Dec 11 11:30:03 EST 2012
Hi all, I apologize for the late reply and the lack of information but I have been working on this all day and here is what I found. There were only one side of conversations in the TCP dumps (I overlooked this yesterday as I was only verifying that I am getting TCP and not direction. Sorry for that) as Peter suggested (right on time, thanks). However, it was related to the port that I was using for monitoring. The port was configured to look at both in/out traffic, however, for some reason, the in was not seeing any traffic (still need to figure out how and why) and hence, no "established" connections that the "flow" in the rules would tag on. Thanks to everybody for your input.YMDate: Tue, 11 Dec 2012 09:38:57 -0500
From: rcombs at ...1935...
To: peter.bates at ...15381...
CC: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP
Lots of good ideas but we really need more data. Please run Snort and capture all output, including shutdown stats, to a file and send that. If you run from command line, just redirect stderr to a file.
On Tue, Dec 11, 2012 at 5:15 AM, Peter Bates <peter.bates at ...15381...> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all
On 10/12/2012 19:15, Y M wrote:
> Snort statistics, some of it at least:
>
> ICMP: 0.186%
> UDP: 17.929%
> TCP: 48.667%
> Dropped: 0
> Analyzed: 247964 (100%)
It's a long shot, but I have seen this on a sensor
that was only receiving one side of conversations due
to a misconfiguration on the SPAN side (not all VLANs had been added
to the monitoring session for in/out).
The ICMP and UDP rules (particularly things like ZeroAccess) will always
hit if you're seeing outbound only but the TCP rules that track state
(using flowbits) will obviously never alert.
It might be worth looking at a tcpdump from a specific source/destination
just to confirm you are seeing outbound and inbound.
- --
Peter Bates
Senior Information Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQEcBAEBAgAGBQJQxwfdAAoJELhVoVpEMS6RAQsH/jz9hN/HL9MmJmAMi9yAlbZH
6TKx5TbXMy9wlxhcjYMiRiAlPad2mM1dEkr7JFVJoRmD6XTjtrZjWPG6Ybbkz4yI
BTOdILXG4safHgg3kOkBKCAJTWzbRwUBC/MTv9cnk35GLT4XirjtUzJ+vjb4n/sH
0gdhwpspMCg7PE3UWUz3prQzIc8rzt4P0ZdOpr2ItnMc+9TxoN6lfhZ8b7R15Wmn
zuTEzJqPAcI2K1Zak4dvkf4+XvdljdEFoF0li/RJXSvySb0x4nmTqGnY5vPD1vzQ
0gRlF+DqDVMpA2l5x50d8a02AmmK4IvUECL+db2+Ke9O2IVSAcV91yZpzNB/eZY=
=tMDa
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121211/d73d1391/attachment.html>
More information about the Snort-users
mailing list