[Snort-users] behavior file vs. device capturing

Felix Erlacher felix.erlacher at uibk.ac.at
Mon Nov 27 11:58:07 EST 2017


Dear all,

while I was trying to further investigate an alert, I stumbled upon a
strange behavior that I was able to reproduce the following way:
If I send an HTTP request to a local HTTP server and have snort listen
on the NIC, everything behaves as I would expect it to do.
Now if I make snort read the pcapng file that I captured (with
wireshark) during this attempt the TCP stream preprocessor behaves
differently, triggering 3 timeouts and discarding one packet (which
finally leads to snort not triggering the alert contained in the HTTP
request).

What makes snort behave differently when configured to read from file
compared to the configuration when reading from a NIC interface?

Below you find the stream statistics for both runs.
I use snort 2.9.11 with daq 2.0.6 compiled from source on Debian 8
(kernel 3.16). The snort.conf is the original one from the tarball.

-----------------------------
sudo snort -c /etc/snort.conf -k none -i wlan0:
-----------------------------
Stream statistics:
            Total sessions: 1
              TCP sessions: 1
TCP StreamTrackers Created: 1
TCP StreamTrackers Deleted: 1
              TCP Timeouts: 0
       TCP Segments Queued: 2
     TCP Segments Released: 2
       TCP Rebuilt Packets: 2
         TCP Segments Used: 2
              TCP Discards: 0
           TCP Port Filter
                   Tracked: 10

-----------------------------
sudo snort -c /etc/snort.conf -k none -r ~/justCaptured.pcapng:
-----------------------------
Stream statistics:
            Total sessions: 1
              TCP sessions: 1

TCP StreamTrackers Created: 2
TCP StreamTrackers Deleted: 2
              TCP Timeouts: 3
       TCP Segments Queued: 0
     TCP Segments Released: 0
       TCP Rebuilt Packets: 0
         TCP Segments Used: 0
              TCP Discards: 1
           TCP Port Filter
                   Tracked: 10

Thanks and regards

Felix


More information about the Snort-users mailing list