Re: Linux and packet loss

[Jason Haar <Jason.Haar () trimble co nz>]

On Thu, Aug 02, 2001 at 06:22:51PM -0400, Martin Roesch wrote:
> Try removing that dsize option from the rule and see if it makes a
> difference....

OK, but that rule does work after a snort restart. Are you thinking there
may be some fragmentation issues there? If so, I am generating a
/var/adm/snort/session.log file that contains session logs. For one of the
attacks "missed", that file reported:


[*] Session stats:
   Start Time: 08/03/01-07:45:29   End Time: 08/03/01-07:45:30
   Server IP: xxx  port: 80  pkts: 5  bytes: 466
   Client IP: yyy port: 4210  pkts: 9  bytes: 4039


For the one I generated after a restart, session.log reported:

[*] Session stats:
   Start Time: 08/03/01-10:00:13   End Time: 08/03/01-10:00:14
   Server IP: xxx  port: 80  pkts: 5  bytes: 466
   Client IP: zzz  port: 4746  pkts: 4  bytes: 284

Certainly looks like that's 5 packets more from the client than were
"normal" for such a small thing... 

Actually, may not. My Apache logs may be truncating the "GET" call? I don't
know how long that "GET" call is actually...?

Anyway 5<->9 vs 5<->[4|5] seems to imply fragmentation?


Here's the preprocessors I'm using again.

preprocessor stream4: detect_scans, keepstats, timeout 30, memcap 8388608
preprocessor stream4_reassemble: both, ports 21 23 25 53 80 3128 143 110 111
513
preprocessor unidecode: 80 3128 -unicode -cginull
preprocessor frag2
preprocessor rpc_decode: 111 
preprocessor bo: -nobrute
preprocessor telnet_decode


-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users