[Snort-users] file_inspect holds blocked files into its memory until snort stops

Berkay Koyutürk berkay.koyuturk at labrisnetworks.com
Wed Sep 27 07:56:23 EDT 2017


I've attached passive and inline shutdown counts.


On 27-09-2017 14:31, Russ via Snort-users wrote:
> It would help if you sent all the shutdown counts for your NFQ passive 
> and inline tests.
>
> On 9/27/17 3:49 AM, Berkay Koyutürk wrote:
>>
>> Hello Al,
>>
>> Afpacket worked as intented. I tried to download 10 files -same 7 
>> byte file which i used for nfq- and it blocked all of them as exit 
>> stats below:
>>
>> *Total files processed:             10 **
>> **Total files data processed:        70        bytes **
>> **Total files buffered:              10 **
>> **Total files released:              10 **
>> **Total files freed:                 0 **
>> **Total files captured:              10 **
>> **Total files within one packet:     10 **
>> **Total buffers allocated:           10 **
>> **Total buffers freed:               0 **
>> **Total buffers released:            10 **
>> **Maximum file buffers used:         1 **
>> **Total buffers free errors:         0 **
>> **Total buffers release errors:      0 **
>> **Total memcap failures:             0 **
>> **Total memcap failures at reserve:  0 **
>> **Total reserve failures:            0 **
>> **Total file capture size min:       0 **
>> **Total file capture size max:       0 **
>> **Total capture max before reserve:  0 **
>> **Total file signature max:          0 **
>> **Maximum buffers can allocate:      15994 **
>> **Number of buffers in use:          0 **
>> **Number of buffers in free list:    15984 **
>> **Number of buffers in release list: 10 **
>> **=============================*
>>
>>
>> But afpacket is not what the topology I want to use snort for. So 
>> looks like nfq is my main problem again. Why nfq is not working as I 
>> intended ?
>>
>>
>> On 25-09-2017 13:18, Al Lewis (allewi) wrote:
>>> Hello,
>>>
>>> As a test do you see the same results when you run snort inline with 
>>> afpacket?
>>>
>>>
>>> *Albert Lewis*
>>>
>>> ENGINEER.SOFTWARE ENGINEERING
>>>
>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>
>>> Email: allewi at cisco.com <mailto:allewi at cisco.com>
>>>
>>>
>>> From: Snort-users <snort-users-bounces at lists.snort.org 
>>> <mailto:snort-users-bounces at lists.snort.org>> on behalf of Berkay 
>>> Koyutürk <berkay.koyuturk at labrisnetworks.com 
>>> <mailto:berkay.koyuturk at labrisnetworks.com>>
>>> Date: Monday, September 25, 2017 at 6:14 AM
>>> To: "snort-users at lists.snort.org 
>>> <mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org 
>>> <mailto:snort-users at lists.snort.org>>
>>> Subject: Re: [Snort-users] file_inspect holds blocked files into its 
>>> memory until snort stops
>>>
>>> Hello again,
>>>
>>> An update to my question. I think problem is network packets or 
>>> other preprocessors that handling them. When I run snort in passive 
>>> mode it catches all of my blacklisted files, seen below I have 
>>> downloaded 50 files with the size of 7 bytes and snort caught 50 of 
>>> them:
>>>
>>> *Total files processed:             50 **
>>> **Total files data processed:        350 bytes **
>>> **Total files buffered:              50 **
>>> **Total files released:              50 **
>>> **Total files freed:                 0 **
>>> **Total files captured:              50 **
>>> **Total files within one packet:     50 **
>>> **Total buffers allocated:           50 **
>>> **Total buffers freed:               0 **
>>> **Total buffers released:            50 **
>>> **Maximum file buffers used:         1 **
>>> **Total buffers free errors:         0 **
>>> **Total buffers release errors:      0 **
>>> **Total memcap failures:             0 **
>>> **Total memcap failures at reserve:  0 **
>>> **Total reserve failures:            0 **
>>> **Total file capture size min:       0 **
>>> **Total file capture size max:       0 **
>>> **Total capture max before reserve:  0 **
>>> **Total file signature max:          0 **
>>> **Maximum buffers can allocate:      15994 **
>>> **Number of buffers in use:          0 **
>>> **Number of buffers in free list:    15944 **
>>> **Number of buffers in release list: 50 *
>>>
>>> But when I switch from passive to inline daq nfq, It starts that 
>>> inconsistency again. Here is the result of 50 same files I tried to 
>>> download when snort is inline mode:
>>> *
>>> **Total files processed:             50 **
>>> **Total files data processed:        350 bytes **
>>> **Total files buffered:              50 **
>>> **Total files released:              2 **
>>> **Total files freed:                 48 **
>>> **Total files captured:              2 **
>>> **Total files within one packet:     2 **
>>> **Total buffers allocated:           50 **
>>> **Total buffers freed:               48 **
>>> **Total buffers released:            2 **
>>> **Maximum file buffers used:         1 **
>>> **Total buffers free errors:         0 **
>>> **Total buffers release errors:      0 **
>>> **Total memcap failures:             0 **
>>> **Total memcap failures at reserve:  0 **
>>> **Total reserve failures:            0 **
>>> **Total file capture size min:       0 **
>>> **Total file capture size max:       0 **
>>> **Total capture max before reserve:  0 **
>>> **Total file signature max:          0 **
>>> **Maximum buffers can allocate:      15994 **
>>> **Number of buffers in use:          0 **
>>> **Number of buffers in free list:    15992 **
>>> **Number of buffers in release list: 2 *
>>>
>>> Snort only caught 2 of them and freed other 48. There are no info 
>>> about these exit stats either so I don't know what freeing files 
>>> means. With these results I thought other preprocessors might be the 
>>> reason for it so my normalize,frag3,strem5,and http_inspect 
>>> preprocessors configurations looks like this:
>>>
>>> *=========================== **
>>> **
>>> **preprocessor normalize_ip4 **
>>> **preprocessor normalize_tcp: ips ecn stream **
>>> **preprocessor normalize_icmp4 **
>>> **preprocessor normalize_ip6 **
>>> **preprocessor normalize_icmp6 **
>>> **
>>> **============================ **
>>> **
>>> **preprocessor frag3_global: max_frags 65536 **
>>> **preprocessor frag3_engine: policy windows detect_anomalies 
>>> overlap_limit 10 min_fragment_length 100 timeout 180 **
>>> **
>>> **====================================== **
>>> **
>>> **preprocessor stream5_global: track_tcp yes, \ **
>>> **   track_udp yes, \ **
>>> **   track_icmp no, \ **
>>> **   max_tcp 262144, \ **
>>> **   memcap 1073741824, \ **
>>> **   max_udp 131072, \ **
>>> **   max_active_responses 2, \ **
>>> **   min_response_seconds 5 **
>>> **preprocessor stream5_tcp: policy windows, \ **
>>> **   detect_anomalies, require_3whs 180, \ **
>>> **   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ **
>>> **    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 
>>> 137 139 143 \ **
>>> **        161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 
>>> 6665 6666 6667 6668 6669 \ **
>>> **        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 
>>> 32778 32779, \ **
>>> **    ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 
>>> 993 994 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 
>>> 5250 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \ **
>>> **        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 
>>> 7911 7912 7913 7914 7915 7916 \ **
>>> **        7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 
>>> 8090 8118 8123 8180 8243 8280 8300 8800 8888 8899 9000 9060 9080 
>>> 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 **
>>> **preprocessor stream5_udp: timeout 180 **
>>> **
>>> **========================================= **
>>> **
>>> **preprocessor http_inspect: global iis_unicode_map unicode.map 1252 
>>> compress_depth 65535 decompress_depth 65535 memcap 503979776 **
>>> **preprocessor http_inspect_server: server default \ **
>>> **    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK 
>>> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE 
>>> TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH 
>>> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST 
>>> SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ **
>>> **    chunk_length 500000 \ **
>>> **    server_flow_depth 0 \ **
>>> **    client_flow_depth 0 \ **
>>> **    post_depth 65495 \ **
>>> **    oversize_dir_length 500 \ **
>>> **    max_header_length 750 \ **
>>> **    max_headers 100 \ **
>>> **    max_spaces 200 \ **
>>> **    small_chunk_length { 10 5 } \ **
>>> **    ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 
>>> 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 
>>> 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 
>>> 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 
>>> 9443 9999 11371 34443 34444 41080 50002 55555 } \ **
>>> **    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ **
>>> **    enable_cookie \ **
>>> **    extended_response_inspection \ **
>>> **    inspect_gzip \ **
>>> **    normalize_utf \ **
>>> **    unlimited_decompress \ **
>>> **    normalize_javascript \ **
>>> **    apache_whitespace no \ **
>>> **    ascii no \ **
>>> **    bare_byte no \ **
>>> **    directory no \ **
>>> **    double_decode no \ **
>>> **    iis_backslash no \ **
>>> **    iis_delimiter no \ **
>>> **    iis_unicode no \ **
>>> **    multi_slash no \ **
>>> **    utf_8 no \ **
>>> **    u_encode yes \ **
>>> **    webroot no **
>>> **
>>> **======================================= *
>>>
>>> Once again I am running Snort's latest version which is 2.9.9.0 and 
>>> daq nfq inline mode. And I want to run it in inline mode so passive 
>>> mode is not a solution for me. I am still can't figuring it out why 
>>> snort behaves like that and need some help for this.
>>>
>>> Thanks for help.
>>>
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170927/4e2d959a/attachment.html>
-------------- next part --------------
===============================================================================
Run time for packet processing was 54.37007 seconds
Snort processed 370 packets.
Snort ran for 0 days 0 hours 0 minutes 54 seconds
   Pkts/sec:            6
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       4313088
  Bytes in mapped regions (hblkhd):      1064407040
  Total allocated space (uordblks):      2099776
  Total free space (fordblks):           2213312
  Topmost releasable block (keepcost):   59480
  Number of free chunks (ordblks):       142
  Number of free fastbin blocks (smblks):19
  Number of mapped regions (hblks):      28
  Max. total allocated space (usmblks):  0
  Free bytes held in fastbins (fsmblks): 600
===============================================================================
Packet I/O Totals:
   Received:          370
   Analyzed:          370 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:            0 (  0.000%)
       VLAN:            0 (  0.000%)
        IP4:          370 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:           21 (  5.676%)
        TCP:          349 ( 94.324%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
      EAPOL:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:          370
===============================================================================
Action Stats:
     Alerts:            7 (  1.892%)
     Logged:            7 (  1.892%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          258 ( 69.730%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:          112 ( 30.270%)
     Ignore:            0 (  0.000%)
===============================================================================
Normalizer statistics:
              ip4::trim: 0
Would         ip4::trim: 0
               ip4::tos: 0
Would          ip4::tos: 0
                ip4::df: 0
Would           ip4::df: 0
                ip4::rf: 0
Would           ip4::rf: 0
               ip4::ttl: 0
Would          ip4::ttl: 0
              ip4::opts: 0
Would         ip4::opts: 0
            icmp4::echo: 0
Would       icmp4::echo: 0
               ip6::ttl: 0
Would          ip6::ttl: 0
              ip6::opts: 0
Would         ip6::opts: 0
            icmp6::echo: 0
Would       icmp6::echo: 0
           tcp::syn_opt: 0
Would      tcp::syn_opt: 0
               tcp::opt: 0
Would          tcp::opt: 0
               tcp::pad: 0
Would          tcp::pad: 0
               tcp::rsv: 0
Would          tcp::rsv: 0
                tcp::ns: 0
Would           tcp::ns: 0
               tcp::urp: 0
Would          tcp::urp: 0
           tcp::ecn_pkt: 0
Would      tcp::ecn_pkt: 0
            tcp::ts_ecr: 0
Would       tcp::ts_ecr: 0
           tcp::req_urg: 0
Would      tcp::req_urg: 0
           tcp::req_pay: 0
Would      tcp::req_pay: 0
           tcp::req_urp: 0
Would      tcp::req_urp: 0
           tcp::ecn_ssn: 0
Would      tcp::ecn_ssn: 0
            tcp::ts_nop: 0
Would       tcp::ts_nop: 0
          tcp::ips_data: 0
Would     tcp::ips_data: 0
             tcp::block: 0
Would        tcp::block: 0
          tcp::trim_syn: 0
Would     tcp::trim_syn: 0
          tcp::trim_rst: 0
Would     tcp::trim_rst: 0
          tcp::trim_win: 0
Would     tcp::trim_win: 0
          tcp::trim_mss: 0
Would     tcp::trim_mss: 0
         ftp::trim_data: 0
Would    ftp::trim_data: 0
===============================================================================
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
                  Drops: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
===============================================================================
Stream statistics:
            Total sessions: 64
              TCP sessions: 50
              UDP sessions: 14
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 50
TCP StreamTrackers Deleted: 50
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 101
     TCP Segments Released: 101
       TCP Rebuilt Packets: 50
         TCP Segments Used: 101
              TCP Discards: 0
                  TCP Gaps: 0
      UDP Sessions Created: 14
      UDP Sessions Deleted: 14
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
           Internal Events: 0
           TCP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 244
           UDP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 14
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0         
    GET methods:                          0         
    HTTP Request Headers extracted:       0         
    Avg Request Header length:            n/a       
    HTTP Request Cookies extracted:       0         
    Avg Request Cookie length:            n/a       
    Post parameters extracted:            0         
    HTTP response Headers extracted:      50        
    Avg Response Header length:           0.00      
    HTTP Response Cookies extracted:      0         
    Avg Response Cookie length:           n/a       
    Unicode:                              0         
    Double unicode:                       0         
    Non-ASCII representable:              0         
    Directory traversals:                 0         
    Extra slashes ("//"):                 0         
    Self-referencing paths ("./"):        0         
    HTTP Response Gzip packets extracted: 0         
    Gzip Compressed Data Processed:       n/a       
    Gzip Decompressed Data Processed:     n/a       
    Http/2 Rebuilt Packets:               0         
    Total packets processed:              151       
===============================================================================
SMTP Preprocessor Statistics
  Total sessions                                    : 0
  Max concurrent sessions                           : 0
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 0
===============================================================================
===============================================================================
SIP Preprocessor Statistics
  Total sessions: 0
===============================================================================
Reputation Preprocessor Statistics
  Total Memory Allocated: 0
===============================================================================
File Preprocessor Statistics
  Total file type callbacks:            0          
  Total file signature callbacks:       7          
  Total files would saved to disk:      7          
  Total files saved to disk:            0          
  Total file data saved to disk:        0         bytes
  Total files duplicated:               7          
  Total files reserving failed:         0          
  Total file capture min:               0          
  Total file capture max:               0          
  Total file capture memcap:            0          
  Total files reading failed:           0          
  Total file agent memcap failures:     0          
  Total files sent:                     0          
  Total file data sent:                 0          
  Total file transfer failures:         0          
===============================================================================
File type stats:
         Type              Download   (Bytes)      Upload     (Bytes)
            Total          0          0            0          0          

File signature stats:
         Type              Download   Upload 
Undecided file type, continue...(  0)          7          0          
            Total          7          0          

File type verdicts:
        UNKNOWN:           0          
            LOG:           0          
           STOP:           0          
          BLOCK:           0          
         REJECT:           0          
        PENDING:           0          
   STOP CAPTURE:           0          
          Total:           0          

File signature verdicts:
        UNKNOWN:           0          
            LOG:           0          
           STOP:           0          
          BLOCK:           7          
         REJECT:           0          
        PENDING:           0          
   STOP CAPTURE:           0          
          Total:           7          

Total files processed:             50         
Total files data processed:        350       bytes 
Total files buffered:              50         
Total files released:              7          
Total files freed:                 43         
Total files captured:              7          
Total files within one packet:     7          
Total buffers allocated:           50         
Total buffers freed:               43         
Total buffers released:            7          
Maximum file buffers used:         1          
Total buffers free errors:         0          
Total buffers release errors:      0          
Total memcap failures:             0          
Total memcap failures at reserve:  0          
Total reserve failures:            0          
Total file capture size min:       0          
Total file capture size max:       0          
Total capture max before reserve:  0          
Total file signature max:          0          
Maximum buffers can allocate:      15994      
Number of buffers in use:          0          
Number of buffers in free list:    15987      
Number of buffers in release list: 7          
===============================================================================
Snort exiting
-------------- next part --------------
===============================================================================
Run time for packet processing was 29.16292 seconds
Snort processed 2809 packets.
Snort ran for 0 days 0 hours 0 minutes 29 seconds
   Pkts/sec:           96
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       4304896
  Bytes in mapped regions (hblkhd):      1064407040
  Total allocated space (uordblks):      2099248
  Total free space (fordblks):           2205648
  Topmost releasable block (keepcost):   124016
  Number of free chunks (ordblks):       132
  Number of free fastbin blocks (smblks):7
  Number of mapped regions (hblks):      28
  Max. total allocated space (usmblks):  0
  Free bytes held in fastbins (fsmblks): 160
===============================================================================
Packet I/O Totals:
   Received:         2810
   Analyzed:         2809 ( 99.964%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            1 (  0.036%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:         2812 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:         2766 ( 98.364%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:           19 (  0.676%)
        TCP:         2746 ( 97.653%)
        IP6:            4 (  0.142%)
    IP6 Ext:            4 (  0.142%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            4 (  0.142%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
      EAPOL:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:           12 (  0.427%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:           31 (  1.102%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            2 (  0.071%)
     S5 G 2:            1 (  0.036%)
      Total:         2812
===============================================================================
Action Stats:
     Alerts:           50 (  1.778%)
     Logged:           50 (  1.778%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:         2695 ( 95.907%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:          114 (  4.057%)
     Ignore:            0 (  0.000%)
===============================================================================
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
                  Drops: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
===============================================================================
Stream statistics:
            Total sessions: 63
              TCP sessions: 52
              UDP sessions: 11
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 52
TCP StreamTrackers Deleted: 52
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 1319
     TCP Segments Released: 1319
       TCP Rebuilt Packets: 489
         TCP Segments Used: 1318
              TCP Discards: 0
                  TCP Gaps: 0
      UDP Sessions Created: 11
      UDP Sessions Deleted: 11
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
           Internal Events: 0
           TCP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 2679
           UDP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 11
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0         
    GET methods:                          50        
    HTTP Request Headers extracted:       50        
    Avg Request Header length:            107.00    
    HTTP Request Cookies extracted:       0         
    Avg Request Cookie length:            n/a       
    Post parameters extracted:            0         
    HTTP response Headers extracted:      50        
    Avg Response Header length:           0.00      
    HTTP Response Cookies extracted:      0         
    Avg Response Cookie length:           n/a       
    Unicode:                              0         
    Double unicode:                       0         
    Non-ASCII representable:              0         
    Directory traversals:                 0         
    Extra slashes ("//"):                 0         
    Self-referencing paths ("./"):        0         
    HTTP Response Gzip packets extracted: 0         
    Gzip Compressed Data Processed:       n/a       
    Gzip Decompressed Data Processed:     n/a       
    Http/2 Rebuilt Packets:               0         
    Total packets processed:              270       
===============================================================================
SMTP Preprocessor Statistics
  Total sessions                                    : 0
  Max concurrent sessions                           : 0
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 0
===============================================================================
===============================================================================
SIP Preprocessor Statistics
  Total sessions: 0
===============================================================================
Reputation Preprocessor Statistics
  Total Memory Allocated: 0
===============================================================================
File Preprocessor Statistics
  Total file type callbacks:            0          
  Total file signature callbacks:       50         
  Total files would saved to disk:      50         
  Total files saved to disk:            0          
  Total file data saved to disk:        0         bytes
  Total files duplicated:               50         
  Total files reserving failed:         0          
  Total file capture min:               0          
  Total file capture max:               0          
  Total file capture memcap:            0          
  Total files reading failed:           0          
  Total file agent memcap failures:     0          
  Total files sent:                     0          
  Total file data sent:                 0          
  Total file transfer failures:         0          
===============================================================================
File type stats:
         Type              Download   (Bytes)      Upload     (Bytes)
            Total          0          0            0          0          

File signature stats:
         Type              Download   Upload 
Undecided file type, continue...(  0)          50         0          
            Total          50         0          

File type verdicts:
        UNKNOWN:           0          
            LOG:           0          
           STOP:           0          
          BLOCK:           0          
         REJECT:           0          
        PENDING:           0          
   STOP CAPTURE:           0          
          Total:           0          

File signature verdicts:
        UNKNOWN:           0          
            LOG:           0          
           STOP:           0          
          BLOCK:           50         
         REJECT:           0          
        PENDING:           0          
   STOP CAPTURE:           0          
          Total:           50         

Total files processed:             50         
Total files data processed:        350       bytes 
Total files buffered:              50         
Total files released:              50         
Total files freed:                 0          
Total files captured:              50         
Total files within one packet:     50         
Total buffers allocated:           50         
Total buffers freed:               0          
Total buffers released:            50         
Maximum file buffers used:         1          
Total buffers free errors:         0          
Total buffers release errors:      0          
Total memcap failures:             0          
Total memcap failures at reserve:  0          
Total reserve failures:            0          
Total file capture size min:       0          
Total file capture size max:       0          
Total capture max before reserve:  0          
Total file signature max:          0          
Maximum buffers can allocate:      15994      
Number of buffers in use:          0          
Number of buffers in free list:    15944      
Number of buffers in release list: 50         
===============================================================================
Snort exiting


More information about the Snort-users mailing list