Snort mailing list archives
AW: Snort & multi-port ethernet cards -- PART II
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Sat, 22 Jun 2002 14:01:45 +0200
Tom, did you have a look on snort's output when sending SIGUSR1 to all the snort processes (killall -SIGUSR1 snort) and made sure you're not dropping packets? This shouldn't be an issue on your box but maybe true if the box is defined to do more than snorting (I had that same issue when installed snort and MySQL and ACID alltogether on a highly saturated segment with an old pc). Just a thought. Cheers, Sandro
Thanks very much to Eric, Sandro, Keith, and Vjay for their responses. +++++++++++++++++++++++++++++++++++++++++++++ I've checked the logs, etc. The three i/faces that are active on the quad card do see traffic, but not all the traffic. For example, I am snorting two internal segments. When an alert is generated for an event that happens in segment 1 (on eth1), and the other end of that event is in segment 3 (on eth3), both sensors should report the event. This happens sometimes and at times is does not. I have one instance of this event firing where it is seen by both sensors, and then I have one that was seen only by one of the sensors. Same src/dst IP in both cases. The event in question is "ATTACK RESPONSES id check returned root" when a Unix admin in seg 1 connects to a Unix server in seg 3. Again, running on RH 7.3, Compaq Proliant 1600, 2 x PIII 500, 512m ram.... Decent box. And also, on eth 1 & on eth 3, I have a filter set on the snort command line: eth1 not (src net seg1 and dst net seg1) # ignore traffic that is local to this segment eth3 not (src net seg3 and dst net seg3) # ignore traffic that is local to this segment So as to pick up only traffic that is from/to a different segment.... I am running snort 1.8.6 bld 105... [eth1, eth3] are in home_net +++++++++++++++++++++++++ # snort -V -*> Snort! <*- Version 1.8.6 (Build 105) By Martin Roesch (roesch () sourcefire com, www.snort.org) ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Snort & multi-port ethernet cards -- PART II Poppi, Sandro (Jun 22)