Snort mailing list archives
Re: Linux and packet loss
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 3 Aug 2001 10:34:48 +1200
On Thu, Aug 02, 2001 at 06:22:51PM -0400, Martin Roesch wrote:
Try removing that dsize option from the rule and see if it makes a difference....
OK, but that rule does work after a snort restart. Are you thinking there may be some fragmentation issues there? If so, I am generating a /var/adm/snort/session.log file that contains session logs. For one of the attacks "missed", that file reported: [*] Session stats: Start Time: 08/03/01-07:45:29 End Time: 08/03/01-07:45:30 Server IP: xxx port: 80 pkts: 5 bytes: 466 Client IP: yyy port: 4210 pkts: 9 bytes: 4039 For the one I generated after a restart, session.log reported: [*] Session stats: Start Time: 08/03/01-10:00:13 End Time: 08/03/01-10:00:14 Server IP: xxx port: 80 pkts: 5 bytes: 466 Client IP: zzz port: 4746 pkts: 4 bytes: 284 Certainly looks like that's 5 packets more from the client than were "normal" for such a small thing... Actually, may not. My Apache logs may be truncating the "GET" call? I don't know how long that "GET" call is actually...? Anyway 5<->9 vs 5<->[4|5] seems to imply fragmentation? Here's the preprocessors I'm using again. preprocessor stream4: detect_scans, keepstats, timeout 30, memcap 8388608 preprocessor stream4_reassemble: both, ports 21 23 25 53 80 3128 143 110 111 513 preprocessor unidecode: 80 3128 -unicode -cginull preprocessor frag2 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode -- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss, (continued)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Jason Haar (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Martin Roesch (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Phil Wood (Aug 02)
- ACID and MySQL questions Jason Lewis (Aug 02)
- Re: ACID and MySQL questions meling (Aug 03)