[Snort-users] Snort only partially alerting

Joel Esler jesler at ...1935...
Fri Jun 21 16:40:42 EDT 2013


On Jun 21, 2013, at 4:08 PM, Frank Calone <fc10011001 at ...11827...> wrote:

>    I have already tried running Snort using the "-k none" option as was recommended earlier this week.  I still got no alerts.  I tried testing an exe download and had snort in full packet capture mode.  I looked at the packets after doing a -dvr just for my PC and there simply is little there that looks at all like what the TCPDUMP process captured (virtually no payloads like you see in the pcap file).  would the Checksum problem explain all the discards you noted?  The "bad chk sum" from the statistics showed just 326 events for .025%.  That number to me looks very small then as it is not even 1%.  If you want me to rerun with -k none option again, I will do that.  Should I do any kind of other logging at the same time or use other options to help diagnose?

Turn off all rules except the file-identify category, run with the configuration file that I pointed to in my previous email.  Add `-k none`.  

Run with -b in the command line (to output to pcap file), see what you get from there.

Sounds like something isn't right somewhere.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130621/b4f8e221/attachment.html>


More information about the Snort-users mailing list