[Snort-users] a few questions...

Russ Combs rcombs at ...1935...
Mon Jul 8 10:10:34 EDT 2013


On Fri, Jul 5, 2013 at 7:53 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 7/5/2013 18:35, Russ Combs wrote:
> > On Fri, Jul 5, 2013 at 5:56 PM, waldo kitty <wkitty42 at ...14940...>
> wrote:
> [trim]
> >     1. i do have 14 compiled so dynamic rules files in my lib directory.
> snort
> >     does recognize them and appears to load them as can be seen in the
> execution
> >     output attached below. the question is why does snort report "0
> Dynamic
> >     rules" when it is initializing the rule chains? there /are/ 72 rules
> stubs
> >     in the so_rules directory and they were created from the compiled
> rules by
> >     snort's --dump-dynamic-rules option... did i miss a change in the
> >     so_rules/src/Makefile other than changing the SNORT_VERSION entry?
> >
> >
> > Those are dynamically activated rules as opposed to dynamically loaded
> rules.
> > Check here:
> >
> > http://manual.snort.org/node29.html#SECTION00421000000000000000
> > http://manual.snort.org/node29.html#SECTION00426000000000000000
>
> ahh! ok... perhaps that header can be changed to say "Dynamically Activated
> rules" to clarify this? it might also be a nice idea to place an additional
> category in the "XXX Snort rules read" section that states how many
> "Dynamically
> loaded rules" there are in that total of rules read (and processed)??
>
> >     2. when i terminate snort, the "Packet I/O Totals" count of processed
> >     doesn't make sense. it says 4054 received and analyzed but the
> "Breakdown by
> >     protocol" says there were 4057. where did the extra three packets
> come from?
> >     it also reports 125 "Other" packets. how can i find out what they
> are or were?
> >
> > They are certain rebuilt packets counted here:
> >
> >       S5 G 2:            3 (  0.074%)
>
> ya know? i don't recall if i even saw that entry... sometimes it is kinda
> of
> hard to break out the counts properly... one would normally think that
> they can
> add up that whole column to come up with the same total but that's
> definitely
> not the proper thing to do...
>
> can you provide a hint on what is considered as "Other" packets that my
> short
> run turned up? 125 of them makes me curious as to what is going on on that
> box
> that i'm not aware of ;)
>

They are cases where the decoding stopped due to an unsupported protocol,
eg an ethertype for which there is no decoder.  It could also be that
available decoders weren't built (./configure --enable-non-ether-decoders
may help here).

>
> > Check here:
> >
> > http://manual.snort.org/node9.html#SECTION00273000000000000000
> >
> > I guess that should also state that packets flushed at shutdown are
> counted
> > there as well.
>
> that would be a good idea, as well ;)
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130708/318e8469/attachment.html>


More information about the Snort-users mailing list