[Snort-users] MySQL support for Snort 2.9.4

waldo kitty wkitty42 at ...14940...
Wed Dec 12 09:32:50 EST 2012


On 12/11/2012 17:08, Kaya Saman wrote:
> Starting Snort does give me a few warnings:
>
> Running in IDS mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
[...]
> pcap DAQ configured to passive.
> Acquiring network traffic from "trunk0".
> Reload thread starting...
> Reload thread started, thread 0x205d9a600 (18685)

pretty much ok to here...

> Decoding Ethernet

this bothers me... why? because it seems to indicate that only ethernet is being 
sniffed and not tcp/ip...

>
> --== Initialization Complete ==--
>
> ,,_ -*> Snort! <*-
> o" )~ Version 2.9.3.1 IPv6 GRE (Build 40)
> '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
> Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> Using libpcap version 1.3.0
> Using PCRE version: 8.30 2012-02-04
> Using ZLIB version: 1.2.3
>
> Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.16 <Build 18>
> Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1>
> Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1>
> Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1>
> Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1>
> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
> Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1>
> Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3>
> Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4>
> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4>
> Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3>
> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9>
> Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1>
> Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1>
> Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13>
> Commencing packet processing (pid=18685)

something else that bothers me a bit is all the above indicating IPv6 and i'm 
sure you have IPv4 traffic... is it possible that your IPv4 traffic is not being 
looked at at all??

> The -v option does show a lot of traffic going through.....

what kind of traffic? IPv4 or IPv6 or both?




More information about the Snort-users mailing list