[Snort-users] [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port

Dorian ROSSE dorianbrice at hotmail.fr
Sun Jun 16 08:48:48 EDT 2019

For tcpdump and pcap between Itself in snort follow It two links :



I hope It will be helpful,


Dorian ROSSE.

Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10

De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Al Lewis (allewi) via Snort-users <snort-users at lists.snort.org>
Envoyé : Saturday, June 15, 2019 4:52:14 PM
À : Сергей Беляев; snort-users at lists.snort.org
Objet : Re: [Snort-users] [WARNING: UNSCANNABLE EXTRACTION FAILED] Snort not detect attack on mirroring port


Are you able to capture the traffic (using tcpdump) in the scenario that doesn’t alert?

If so, as a quick test, are you able to replay that captured traffic directly into snort (using -r )? Do you get alerts then?

Are you able to share the pcaps of the working vs non working sessions?

Albert Lewis
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Сергей Беляев via Snort-users <snort-users at lists.snort.org>
Reply-To: Сергей Беляев <bamkrgd at mail.ru>
Date: Saturday, June 15, 2019 at 9:26 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [WARNING: UNSCANNABLE EXTRACTION FAILED][Snort-users] Snort not detect attack on mirroring port

  Excuse me for my bad english.
  I Iinstall snort 2.9.11 on ubuntu 12.04 from sources and connect it to HP ProCurve 2510G mirror port.
  My mirroring scheme in file mirror.pdf and snort host configuration in file snort_host_conf.png
  I tried attack my test windows xp machine from kali by script ms_08_067_netapi.rb, which exploits cve-2008-4250 vulnerability. And snort not detect it.
  Then i tried the same attack from  kali to windows xp via linux in routing mode - scheme snort_on_router.pdf
  And in this scheme snort detect attacks successfully by triggering rule sid 14782 in file os-windows.rules
  My snort config in snort.tar.gz
  May be it is bag that snort not detect attack from mirroring traffic?
  Installing snort 2.9.13 to ubuntu 16.04 - same result.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190616/b9c173ff/attachment.html>

More information about the Snort-users mailing list