Snort mailing list archives
Re: Packet Payload not appearing for internal traffic.
From: Susan Kay Coulter <skc () lanl gov>
Date: Fri, 5 Oct 2001 10:35:50 -0600
You didn't mention which database you're using, or the snaplen ... but, I found that there is a very real limitation with mysql - depending on what OS and how it's configured. mysql tables have an upper limit of whatever the max file size is on your box. The 'data' table (which contains the payload) usually fills up first. This does not always cause snort or mysql to fail ... it just stops writing payload to the 'data' table. This could be your situation - especially since you set up a rule that would trigger for every TCP packet that crossed your sensor.
Message: 4 From: "Grimes, Shawn (NIA/IRP)" <GrimesSh () grc nia nih gov> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Thu, 4 Oct 2001 17:16:36 -0400 Subject: [Snort-users] Packet Payload not appearing for internal traffic... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It seems my snort is not viewing the packet payload of outboung traffic. I have two rules setup to monitor for code red/nimba related activity. One for attacks against us and another for us attacking other sites (meaning we got infected somewhere). The incoming attacks rule works great, the outgoing doesn't work at all. here are my rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Cmd.exe attempt against us"; content:"cmd.exe";nocase;) alert tcp $HOME_NET any -> any 80 (msg:"Cmd.exe attempt from us"; content:"cmd.exe";nocase;) Again, incoming works great, I can see every box that trys to access cmd.exe on one of our local computers. Outgoing however, if I type in a web address say: http://www.google.com/cmd.exe . I don't get the alert I'm supposed to. I set up a rule for: alert tcp any any -> any any (msg: "Flood of traffic";) and I got several allerts but when I went into the detailed view in Acid of the alert, the packet payload was empty. Any ideas? TIA, Shawn -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO7zRs9uEKqGIN9SBEQKoQgCeJ7yP9XfX1SPHf9KNljRU1zVlIBgAoL1A rFP7KTSpYINqAxp+lLyld4CO =1Vt/ -----END PGP SIGNATURE-----
-- Susan Coulter Network Security Team CCN-5 Network Engineering Los Alamos National Laboratory voice: (505) 667-8425 fax: (505) 665-7793 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Packet Payload not appearing for internal traffic. Susan Kay Coulter (Oct 05)
- Re: Packet Payload not appearing for internal traffic. Chris Adams (Oct 05)