Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Snort & multi-port ethernet cards -- PART II

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Sat, 22 Jun 2002 14:01:45 +0200
Tom,

did you have a look on snort's output when sending SIGUSR1 to all the snort
processes (killall -SIGUSR1 snort) and made sure you're not dropping
packets?

This shouldn't be an issue on your box but maybe true if the box is defined
to do more than snorting (I had that same issue when installed snort and
MySQL and ACID alltogether on a highly saturated segment with an old pc).

Just a thought.

Cheers,
Sandro


Thanks very much to Eric, Sandro, Keith, and Vjay for their responses.

+++++++++++++++++++++++++++++++++++++++++++++

I've checked the logs, etc.  The three i/faces that are 
active on the quad
card do see traffic, but not all the traffic.

For example, I am snorting two internal segments.  When an alert is
generated for an event that happens in segment 1 (on eth1), 
and the other
end of that event is in segment 3 (on eth3), both sensors 
should report the
event.  This happens sometimes and at times is does not.  I have one
instance of this event firing where it is seen by both 
sensors, and then I
have one that was seen only by one of the sensors.  Same 
src/dst IP in both
cases. The event in question is "ATTACK RESPONSES id check 
returned root"
when a Unix admin in seg 1 connects to a Unix server in seg 3.

Again, running on RH 7.3, Compaq Proliant 1600, 2 x PIII 500, 
512m ram....
Decent box.

And also, on eth 1 & on eth 3, I have a filter set on the 
snort command
line:

  eth1  not (src net seg1 and dst net seg1)   # ignore 
traffic that is local
to this segment
  eth3  not (src net seg3 and dst net seg3)   # ignore 
traffic that is local
to this segment

So as to pick up only traffic that is from/to a different 
segment....  I am
running snort 1.8.6 bld 105...  [eth1, eth3] are in home_net

+++++++++++++++++++++++++

# snort -V

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: