No subject


Thu Nov 23 16:36:19 EST 2017


of packets ?
Is the traffic volume very high ?

or is it something that i've overlooked.

thanks
ashley



On Thu, 10 Jan 2002, Matt Jonkman wrote:

> We're working on our own homegrown snort back-end and want to really
> concentrate on having detailed live and trending stats for each
sensor.
>
> Is there a way to get the stats that snort dumps when you ^C a
non-daemon
> instance when you are running as a daemon? If not is there another
source of
> the running stats we can grab and trend?
>
> Thanks
>
> Matt
>
>
>
>
> I.E these stats:
>
>
============================================================================
> ===
> Snort analyzed 4444 out of 6034 packets, dropping 1590(26.351%)
packets
>
> Breakdown by protocol:                Action Stats:
>     TCP: 2494       (41.332%)         ALERTS: 0
>     UDP: 108        (1.790%)          LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 102        (1.690%)
> DISCARD: 0          (0.000%)
>
============================================================================
> ===
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>     Fragment Trackers: 0
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>   Frag2 memory faults: 0
>
============================================================================
> ===
> TCP Stream Reassembly Stats:
>         TCP Packets Used: 0          (0.000%)
>          Stream Trackers: 0
>           Stream flushes: 0
>            Segments used: 0
>    Stream4 Memory Faults: 0
>
============================================================================
> ===
> Snort received signal 2, exiting
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>



--__--__--

Message: 13
Date: Thu, 10 Jan 2002 16:53:42 -0500
From: Martin Roesch <roesch at ...1935...>
To: Russell Fulton <R.FULTON at ...3809...>
CC: snort-users at lists.sourceforge.net 
Subject: Re: [Snort-users] Re: Garbage in snort logs

The stream_size calculation in stream4 is what's causing the problem,
I'm working on it as we speak.  I'll be checking in a new build in a
bit, I'll let you guys know when it's ready.

     -Marty

Russell Fulton wrote:
> 
> > From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso at ...236...>
> > Hello,
> >
> > I experience the same problems as Russell from time to time.
> > I was running 1.8.3 (release version), but unfortunately build 89
did not
> > solve all problems. The ethernet headers now seem to be correct,
but the
> > payload is still messed up.
> >
> [ snip ]
> 
> > This is just a test machine so I'll try to experiment a bit. Any
clever
> > suggestions about what may be worth trying?
> > To me it seems like its always those unicode requests that mess
things up.
> > Could there also be some problem with http_decode?
> 
> Agreed.
> 
> >
> > (did build 89 solve your problems, Russell?)
> 
> no, my experience mirrors yours.  I please I no longer alone I was
> starting to think I must have been imagining these problems ;-)
> 
> Here is some mail I sent to Marty this morning which has some other
> ideas on this problem...
> 
> Hi Marty,
>         I have just been corresponding with Brennan Bakke
> <bbakke at ...4534...>
> who reported finding bits of snort rules in logged ICMP packets (on
the
> security focus incidents list).  I told him about the build 89 fixes
and
> suggested that these might fix his problems.  Someone else pointed
out
> (quite rightly) that the ICMP packets should not go anywhere near
the
> stream4 preprocessor!
> 
> So I wonder if there is a bug somewhere much lower down in the stack
> which is mangling some lenght and causing both these problems.
> 
> In my case turning off he stream4 stuff made makes these alerts go
away
> but that does *not* necessarily imply that it is the stream4 stuff
that
> is causing the problem in the first place.
> 
> Cheers, Russell.
> 
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console
appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org 



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/snort-users 


End of Snort-users Digest





More information about the Snort-users mailing list