[Snort-users] Very Limited Logging

Joel Esler jesler at ...1935...
Wed Sep 26 16:05:00 EDT 2012


That signature is looking for UDP traffic, and small packets at that.

I'm betting you are running into a checksum problem.  Stop Snort, add "-k none" to the command line, and see if it picks up more.

Also, Snort needs to be listening to a span port or something on a switch, not just watching the port you are plugged into on the switch.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



On Sep 26, 2012, at 2:55 PM, Brian Swan <steelysama at ...11827...> wrote:

> Hi all,
>    I am having a strange problem with Snort. I recently installed it along with Barnyard2 on a CentOS 6.3 64-bit machine. They both seemingly run fine, but it looks like Snort is not committing very much at all to the log files. All of the log files (I am using the unified2 type) are very small, some of them empty, and Barnyard is registering only a single signature repeatedly and at sparse intervals:
> 
> 09/26-07:34:15.475267  [**] [1:23493:1] BOTNET-CNC Trojan.ZeroAccess outbound communication  [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 77.8.197.82:57155 -> ***edited out***
> 
> The target IP is not from my machine, it is just on the same subnet.
> 
> I have tried adjusting all kinds of settings and nothing seems to make a difference. The logging remains extremely sparse and seems confined to only this one signature.
> 
> Snort v. 2.9.3.1
> Barnyard2 v. 2.1.9
> 
> I will post output that might help.
> 
> Thank you,
>    Steely
> ------------------------------------------------------------------------------
> How fast is your code?
> 3 out of 4 devs don\\\'t know how their code performs in production.
> Find out how slow your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219672;13503038;z?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120926/c99a1549/attachment.html>


More information about the Snort-users mailing list