[Snort-users] behavior file vs. device capturing

Russ rucombs at cisco.com
Thu Nov 30 07:11:43 EST 2017


What are your command lines for inline and readback?

Are the stream stats the only differences?

On 11/30/17 5:28 AM, Felix Erlacher wrote:
> No hints?
>
> Now I tried to replay the trace over the network and capture it with
> snort  (via the NIC) again, hoping it would show the same behavior as if
> I would capture it directly. It does not.
> But the notable thing is, when replayed and captured via the NIC it does
> show the alert from the HTTP request (as supposed to). If it reads
> directly from the file no alert is shown.
>
> Why is there a difference? The packets are exactly the same.
>
> I attached the network trace if anyone is interested.
>
> regards
>
> Felix
>
> On 27/11/17 17:58, Erlacher, Felix wrote:
>> Dear all,
>>
>> while I was trying to further investigate an alert, I stumbled upon a
>> strange behavior that I was able to reproduce the following way:
>> If I send an HTTP request to a local HTTP server and have snort listen
>> on the NIC, everything behaves as I would expect it to do.
>> Now if I make snort read the pcapng file that I captured (with
>> wireshark) during this attempt the TCP stream preprocessor behaves
>> differently, triggering 3 timeouts and discarding one packet (which
>> finally leads to snort not triggering the alert contained in the HTTP
>> request).
>>
>> What makes snort behave differently when configured to read from file
>> compared to the configuration when reading from a NIC interface?
>>
>> Below you find the stream statistics for both runs.
>> I use snort 2.9.11 with daq 2.0.6 compiled from source on Debian 8
>> (kernel 3.16). The snort.conf is the original one from the tarball.
>>
>> -----------------------------
>> sudo snort -c /etc/snort.conf -k none -i wlan0:
>> -----------------------------
>> Stream statistics:
>>              Total sessions: 1
>>                TCP sessions: 1
>> TCP StreamTrackers Created: 1
>> TCP StreamTrackers Deleted: 1
>>                TCP Timeouts: 0
>>         TCP Segments Queued: 2
>>       TCP Segments Released: 2
>>         TCP Rebuilt Packets: 2
>>           TCP Segments Used: 2
>>                TCP Discards: 0
>>             TCP Port Filter
>>                     Tracked: 10
>>
>> -----------------------------
>> sudo snort -c /etc/snort.conf -k none -r ~/justCaptured.pcapng:
>> -----------------------------
>> Stream statistics:
>>              Total sessions: 1
>>                TCP sessions: 1
>>
>> TCP StreamTrackers Created: 2
>> TCP StreamTrackers Deleted: 2
>>                TCP Timeouts: 3
>>         TCP Segments Queued: 0
>>       TCP Segments Released: 0
>>         TCP Rebuilt Packets: 0
>>           TCP Segments Used: 0
>>                TCP Discards: 1
>>             TCP Port Filter
>>                     Tracked: 10
>>
>> Thanks and regards
>>
>> Felix
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171130/dc45aa55/attachment.html>


More information about the Snort-users mailing list