Snort mailing list archives
Re: Only TCP packets towards the Snort host trigger alerts
From: Doug Burks <doug.burks () gmail com>
Date: Tue, 13 Nov 2012 10:53:45 -0500
Hi Marc, I think it depends on the network card. Ubuntu 10.04 was enabling offloading features for some NICs: http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html Doug On Tue, Nov 13, 2012 at 10:37 AM, Rennhard Marc (rema) <rema () zhaw ch> wrote:
This solved it, thanks. It worked without this option with Snort 2.8.5 / Ubuntu 11.04 - it appears Ubuntu has recently enabled checksum offloading. Cheers, Marc On 13. Nov 2012, at 16:08, JJC <cummingsj () gmail com> wrote:Out of curiosity, are you running with -k none ? On Tue, Nov 13, 2012 at 7:00 AM, Rennhard Marc (rema) <rema () zhaw ch>wrote:Dear list members I'm using Snort for teaching purposes and just updated to Ubuntu 12.04,which implied a Snort update from 2.8.5 to 2.9.2.The new version shows a different behaviour with respect to TCP packetalerting. Using the rulealert tcp any any -> any any (msg:"ALL"; sid:9999999;) and communicating over TCP to a service running on the same host asSnort shows (alerted on) all packets in both directions with Snort 2.8.5. But with the new Snort version (2.9.2), only packets towards the server generate an alert. With UPD traffic, all packets are alerted on in both directions with both versions.Has anything changed with respect to alerting on TCP packets betweenthese two versions?Thanks for any help, Marc------------------------------------------------------------------------------Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!Prof. Dr. Marc Rennhard ZHAW Zuercher Hochschule für Angewandte Wissenschaften InIT Institut fuer angewandte Informationstechnologie Schwerpunktleiter Information Security Steinberggasse 13 / Postfach / CH-8401 Winterthur Fon: +41 58 934-7245 / Fax: +41 58 935-7245 PGP-KeyID: 84AEB193, PGP encrypted mail welcome ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks http://securityonion.blogspot.com
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Only TCP packets towards the Snort host trigger alerts Rennhard Marc (rema) (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts JJC (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts Rennhard Marc (rema) (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts James Lay (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts Doug Burks (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts Rennhard Marc (rema) (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts JJC (Nov 13)