Snort mailing list archives
Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss)
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 09 Aug 2001 17:07:05 -0400
FWIW, I've had build 59 running on the Sourcefire production IDS for several days and we've had no misses of the CodeRed (213 out of 213 since Aug 1) attacks or anything else. Here's my config: preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS output alert_full output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: snort.log -Marty Jason Haar wrote:
Can someone check this out? I've had snort running fine under Linux-2.4.x for some time now, but now I'm running 1.8.1-beta5 I'm seeing the same thing. Knowing CodeRed was out there, I checked my snort logs this morning to find that our Apache (:-) server had received ONE CodeRed hit. That didn't seem right so I checked it's logs. SIX hits. As with Matthew, snort detected the first one, and missed the next five... Sounds too much of a coincidence, anyone else see this? More info. Snort detected and reported other scans between the first and second CodeRed hits, so it was picking other things up... Snort-1.8.1-beta5, with http://snort.sourceforge.net/snortrules.tar.gz rules downloaded yesterday (yup, 20+ hours before CodeRed hit). Could the rules themselves be at fault? preprocessor stream4: detect_scans, keepstats, timeout 30, memcap 8388608 preprocessor stream4_reassemble: both, ports 21 23 25 53 80 3128 143 110 111 513 preprocessor unidecode: 80 3128 -unicode -cginull preprocessor frag2 On Wed, Aug 01, 2001 at 12:05:20PM -0500, Chris Green wrote:"Matthew Collins" <Matthew.Collins () northernregistrars co uk> writes:I've got snort 1.7 running on a Linux 2.2.19 (Debian) system. The code red worm is starting to get going now, and I've noticed an oddity. I've got one alert for .ida attempt in my snort log-- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss), (continued)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Dragos Ruiu (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Steve Williams (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Jason Haar (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Martin Roesch (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Phil Wood (Aug 02)
- ACID and MySQL questions Jason Lewis (Aug 02)
- Re: ACID and MySQL questions meling (Aug 03)