[Snort-users] BASE 100% TCP ?

Joao Daniel Neves joaodanielnevesss at ...125...
Wed Mar 13 13:57:43 EDT 2013


I have decided to "goback" a few steps. I ran:

/usr/local/bin/snort -D -i eth1 -h -u snort -g snort -l /tmp/log/log.log -c /etc/snort/snort.conf


tail -f /tmp/log/log.log

I did not saw anything. (And I did not got any UDP traffic on BASE GUI)

But if I ran: /usr/local/bin/snort -i eth1 -h -u snort -g snort -l /tmp/log/log.log -c /etc/snort/snort.conf (without -D (daemon option). 

I got this output (snip to smooth):

Snort processed 43744 packets.
   Pkts/min:        43744
   Pkts/sec:          672
S5: Pruned session from cache that was using 1137906 bytes (purge whole cache).
Packet I/O Totals:
   Received:        43744
   Analyzed:        43744 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
Breakdown by protocol (includes rebuilt packets):
        Eth:        43804 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:        43739 ( 99.852%)
       Frag:            0 (  0.000%)
       ICMP:         2516 (  5.744%)
        UDP:        17126 ( 39.097%)
        TCP:        23695 ( 54.093%)
        IP6:            0 (  0.000%)
Action Stats:
     Alerts:            10
     Logged:           10
     Passed:            0


    Acording with it I have UDP traffic.    If I run a port scan against Snort, Snort detects it as you can see ( Alerts: 10 )    As far as I know I'm not using BPF
I really don't know what is happening. 

Additional info: tcpdump -i eth0 -nn udp show a lot of packages.

Sorry I did not understood it "If you run a tcpdump across the interface, does it look 'firehose-y' to 
you? If you pull that output into Wireshark, how does it look?"

Subject: Re: [Snort-users] BASE 100% TCP ?
From: mike at ...16027...
Date: Tue, 12 Mar 2013 12:47:28 -0600
CC: snort-users at lists.sourceforge.net
To: joaodanielnevesss at ...125...

I've seen similar behavior when using a spanport on a core switch that wasn't properly configured and/or the interface isn't in promiscuous mode. 
If you run a tcpdump across the interface, does it look 'firehose-y' to you? If you pull that output into Wireshark, how does it look?

On Mar 12, 2013, at 6:59 AM, Joao Daniel Neves <joaodanielnevesss at ...125...> wrote:Snort Enthusiasts,

I have deployed a Snort with BASE as a GUI. I have attached the BASE Main screen on this e-mail. If you cant see this jpg I have also upload to this site http://servicos.cafecomchips.com.br/Novo/Upload/Exibir_Foto.php?foto=b34243fef3.png

My doubt is  about something in base main screen. As you can see all my traffic is TCP, I haven't any alerts for port scanner. Or even I don't have any UDP traffic what is very stranger since there are DNS query going out the interface that snort is listenning.

What can explaint it?

Further more I have ran port scanner against this snort and it seems that it did not catch it*

*This snort was deployed on a Firewall machine and I ran the port scanner in the same interface that snort is listenning, from a outside machine.

Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130313/62376ac1/attachment.html>

More information about the Snort-users mailing list