[Snort-users] MySQL support for Snort 2.9.4

Russ Combs rcombs at ...1935...
Wed Dec 12 09:49:21 EST 2012


On Wed, Dec 12, 2012 at 9:32 AM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 12/11/2012 17:08, Kaya Saman wrote:
> > Starting Snort does give me a few warnings:
> >
> > Running in IDS mode
> >
> > --== Initializing Snort ==--
> > Initializing Output Plugins!
> [...]
> > pcap DAQ configured to passive.
> > Acquiring network traffic from "trunk0".
> > Reload thread starting...
> > Reload thread started, thread 0x205d9a600 (18685)
>
> pretty much ok to here...
>
> > Decoding Ethernet
>
> this bothers me... why? because it seems to indicate that only ethernet is
> being
> sniffed and not tcp/ip...
>

FYI - this is just an indication of the outermost layer decoder (the
datalink type obtained from the DAQ).  Snort can handle others, but
Ethernet will be the most common.

>
> >
> > --== Initialization Complete ==--
> >
> > ,,_ -*> Snort! <*-
> > o" )~ Version 2.9.3.1 IPv6 GRE (Build 40)
> > '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
> > Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> > Using libpcap version 1.3.0
> > Using PCRE version: 8.30 2012-02-04
> > Using ZLIB version: 1.2.3
> >
> > Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.16 <Build 18>
> > Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1>
> > Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1>
> > Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1>
> > Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1>
> > Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
> > Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1>
> > Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3>
> > Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4>
> > Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4>
> > Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3>
> > Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9>
> > Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1>
> > Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1>
> > Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13>
> > Commencing packet processing (pid=18685)
>
> something else that bothers me a bit is all the above indicating IPv6 and
> i'm
> sure you have IPv4 traffic... is it possible that your IPv4 traffic is not
> being
> looked at at all??
>
> > The -v option does show a lot of traffic going through.....
>
> what kind of traffic? IPv4 or IPv6 or both?
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121212/d0abfcef/attachment.html>


More information about the Snort-users mailing list