[Snort-users] why UDP disc acquire?

Andrey Kiryukhin andrei_1980 at ...1975...
Fri Jun 24 11:28:38 EDT 2016


hmm, strange. I,m attach pcap to first message. Ok reatach to this message.

On 24.06.2016 18:22, Al Lewis (allewi) wrote:
> Hello,
>
> Can you provide us with the pcap or a sample of it?
>
>
> *Albert Lewis*
>
> QA SNORT/Sourcefire
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046 
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589... <mailto:allewi at ...589...> 
>
>
>
> From: Andrei_1980 <andrei_1980 at ...1975... <mailto:andrei_1980 at ...1975...>>
> Date: Friday, June 24, 2016 at 11:06 AM
> To: 'snort-users' <snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>>
> Subject: [Snort-users] why UDP disc acquire?
>
> Hi all. I use snort 2.9.8.2 A have some pcap file for old attack (see
> attach) .  It contain only udp packets.
> I wrote test rule: 
>
> alert udp any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype:
> attempted-dos; sid:1000001; rev:1;)
>
> and run snort:
>
> snort  -c ./etc/snort.conf -A console -K none  -k none  -r
> ./pcaps/DOS_Nbisakmp.pcap
>
> and get no alerts. In output stats i have: 
>
> ...........
> Packet I/O Totals:
>    Received:          100
>    Analyzed:          100 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
> .....................
>
> Breakdown by protocol (includes rebuilt packets):
>         Eth:          100 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:          100 (100.000%)
>        Frag:            0 (  0.000%)
>        ICMP:            0 (  0.000%)
>         UDP:          100 (100.000%)
> ...................
> * UDP Disc:          100 (100.000%)*
>   ICMP Disc:            0 (  0.000%)
> All Discard:          100 (100.000%)
>
> (full output and snort.conf see in attach)
>
>
> If i change rule  (udp to ip)  :
>
> alert *ip* any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype:
> attempted-dos; sid:1000001; rev:1;)
> all packets generate alerts. 
>
>
> So, why UDP packets in sample pcap discarded if i use udp protocol in
> alert?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160624/98f5fda0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DOS_Nbisakmp.pcap
Type: application/vnd.tcpdump.pcap
Size: 85824 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160624/98f5fda0/attachment.pcap>


More information about the Snort-users mailing list