[Snort-users] No TCP alerts, only UDP and ICMP

Y M snort at ...15979...
Tue Dec 11 11:30:03 EST 2012


Hi all, I apologize for the late reply and the lack of information but I have been working on this all day and here is what I found.  There were only one side of conversations in the TCP dumps (I overlooked this yesterday as I was only verifying that I am getting TCP and not direction. Sorry for that) as Peter suggested (right on time, thanks). However, it was related to the port that I was using for monitoring. The port was configured to look at both in/out traffic, however, for some reason, the in was not seeing any traffic (still need to figure out how and why) and hence, no "established" connections that the "flow" in the rules would tag on. Thanks to everybody for your input.YMDate: Tue, 11 Dec 2012 09:38:57 -0500
From: rcombs at ...1935...
To: peter.bates at ...15381...
CC: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] No TCP alerts, only UDP and ICMP

Lots of good ideas but we really need more data.  Please run Snort and capture all output, including shutdown stats, to a file and send that.  If you run from command line, just redirect stderr to a file.


On Tue, Dec 11, 2012 at 5:15 AM, Peter Bates <peter.bates at ...15381...> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





Hello all



On 10/12/2012 19:15, Y M wrote:

> Snort statistics, some of it at least:

>

> ICMP: 0.186%

> UDP: 17.929%

> TCP: 48.667%

> Dropped: 0

> Analyzed: 247964 (100%)



It's a long shot, but I have seen this on a sensor

that was only receiving one side of conversations due

to a misconfiguration on the SPAN side (not all VLANs had been added

to the monitoring session for in/out).



The ICMP and UDP rules (particularly things like ZeroAccess) will always

hit if you're seeing outbound only but the TCP rules that track state

(using flowbits) will obviously never alert.



It might be worth looking at a tcpdump from a specific source/destination

just to confirm you are seeing outbound and inbound.



- --

Peter Bates

Senior Information Security Officer   Phone: +44(0)2076792049

Information Services Division         Internal Ext: 32049

University College London

London WC1E 6BT

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.17 (MingW32)

Comment: Using GnuPG with undefined - http://www.enigmail.net/



iQEcBAEBAgAGBQJQxwfdAAoJELhVoVpEMS6RAQsH/jz9hN/HL9MmJmAMi9yAlbZH

6TKx5TbXMy9wlxhcjYMiRiAlPad2mM1dEkr7JFVJoRmD6XTjtrZjWPG6Ybbkz4yI

BTOdILXG4safHgg3kOkBKCAJTWzbRwUBC/MTv9cnk35GLT4XirjtUzJ+vjb4n/sH

0gdhwpspMCg7PE3UWUz3prQzIc8rzt4P0ZdOpr2ItnMc+9TxoN6lfhZ8b7R15Wmn

zuTEzJqPAcI2K1Zak4dvkf4+XvdljdEFoF0li/RJXSvySb0x4nmTqGnY5vPD1vzQ

0gRlF+DqDVMpA2l5x50d8a02AmmK4IvUECL+db2+Ke9O2IVSAcV91yZpzNB/eZY=

=tMDa

-----END PGP SIGNATURE-----





------------------------------------------------------------------------------

LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial

Remotely access PCs and mobile devices and provide instant support

Improve your efficiency, and focus on delivering more value-add services

Discover what IT Professionals Know. Rescue delivers

http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121211/d73d1391/attachment.html>


More information about the Snort-users mailing list