Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No alerts

From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 25 Mar 2002 13:34:12 -0800
Here's the result of further testing, which leaves me still more puzzled:
Running snort 1.8.4 from the command line, omitting the -D option but otherwise using the options cited in my earlier posting, yields alerts. But, typing in all options -- incuding -D -- causes snort to omit writing alerts.
Also, running snort 1.8.4 with -D and (after a bit of time to let snort settle in) sending SIGUSR1 yields the following result:
Mar 25 13:25:49 ids snort: ============================================================================ 
Mar 25 13:25:49 ids snort: Snort analyzed 18668 out of 0 packets,
Mar 25 13:25:49 ids snort: Breakdown by protocol: Action Stats: 
Mar 25 13:25:49 ids snort:     TCP: 9          (inf%)         ALERTS: 0
Mar 25 13:25:49 ids snort:     UDP: 18634      (inf%)         LOGGED: 18618
Mar 25 13:25:49 ids snort:    ICMP: 0          (0.000%)       PASSED: 0
Mar 25 13:25:49 ids snort:     ARP: 4          (inf%)
Mar 25 13:25:49 ids snort:    IPv6: 0          (0.000%)
Mar 25 13:25:49 ids snort:     IPX: 0          (0.000%)
Mar 25 13:25:49 ids snort:   OTHER: 21         (inf%)
Mar 25 13:25:49 ids snort: DISCARD: 0          (0.000%)
Mar 25 13:25:49 ids snort: ============================================================================ 
Mar 25 13:25:49 ids snort: Fragmentation Stats:
Mar 25 13:25:49 ids snort: Fragmented IP Packets: 0          (0.000%)
Mar 25 13:25:49 ids snort:     Fragment Trackers: 0
Mar 25 13:25:49 ids snort:    Rebuilt IP Packets: 0
Mar 25 13:25:49 ids snort:    Frag elements used: 0
Mar 25 13:25:49 ids snort: Discarded(incomplete): 0
Mar 25 13:25:49 ids snort:    Discarded(timeout): 0
Mar 25 13:25:49 ids snort:   Frag2 memory faults: 0
Mar 25 13:25:49 ids snort: ============================================================================ 
Mar 25 13:25:49 ids snort: TCP Stream Reassembly Stats:
Mar 25 13:25:49 ids snort:         TCP Packets Used: 9          (inf%)
Mar 25 13:25:49 ids snort:          Stream Trackers: 6
Mar 25 13:25:49 ids snort:           Stream flushes: 0
Mar 25 13:25:49 ids snort:            Segments used: 0
Mar 25 13:25:49 ids snort:    Stream4 Memory Faults: 0
Mar 25 13:25:49 ids snort: ============================================================================
Something is up, because there's substantial TCP traffic on the network, notwithstading the counter suggesting only 9 TCP packets. Also, the statement that Snort has analyzed "18668 out of 0 packets" doesn't seem quite right.
So, I infer something's not quite right with 1.8.4. At least, not the way I built it <grin>. 

---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: