Re: Snort is not seeing all traffic...

[Matt Kettler <mkettler () evi-inc com>]

At 11:23 PM 5/7/2003 -0400, PJ-ML wrote:
> The ethernet link to hub and to other parts of the network are all 100. 
> Could it be the speed of the server? I am lost in fog. Not sure where to 
> go, I know that I must tune the server...but I do not know what to tune if 
> it is not seeing even purposeful exploits...I will be more than happy  to 
> give any more info that anyone requires to help me figure this out except 
> for  the root password to my machine ;-)

I'd first see if your snort box even has the packets sent to it, using the 
all-seeing tcpdump tool.

run tcpdump -n -i (whatever interface) host (target of attack) and then 
re-run the attack.. does tcpdump spit out packets?

As an example:

snortbox # tcpdump -n -i eth0 host 10.1.1.1

testbox # attack 10.1.1.1

snortbox should have packets from the attack dump to the screen. Note that 
the only reason I added -n to the tcpdump commandline is to prevent tcpdump 
from spending a long time trying to do reverse DNS lookups. If there's no 
DNS available tcpdump can hold off printing packets to the screen for a 
shockingly long time.




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users