Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort only partially alerting.

From: Frank Calone <fc10011001 () gmail com>
Date: Wed, 12 Jun 2013 11:33:58 -0400
Hi.  I am trying to get a new standalone Snort server operational on a
CentOS box.  I have two network cards that Snort is monitoring.   We also
have Snort running on an appliance, supplied by a 3rd party vendor.  Snort
has been useful on the appliance but it doesn’t support session capture,
hence our using a dedicated server.   The problem I’m having is I am
getting alerts on the appliance but not on the full blown Snort server for
the 2 rules we want to focus on.  I have looked at the configuration
settings and I do not see anything that could explain this.  I have turned
up performance monitoring and it actually looks like the new server is
mostly idle (Here is a snapshot from perfmon).



usr[0]

sys[0]

idle[0]

4.752

1.404

93.845

5.768

1.335

92.897

5.562

1.515

92.923

5.607

1.509

92.884





  I have essentially the same 2 rules setup on both systems looking for
executable files.   Sometimes both systems will alert, though most of the
time the new server misses the traffic.  Nothing much is showing up in the
syslog either.  I am getting an occasional syslog entry as follows:





Jun 11 16:16:35 security03 snort[11616]: S5: Pruned session from cache that
was using 1060353 bytes (stale/timeout). (redacted).98.242 57787 -->
50.58.123.18 80 (0) : LWstate 0x9 LWFlags 0x41e007

Jun 11 16:17:56 security03 snort[11616]: S5: Pruned session from cache that
was using 1307810 bytes (stale/timeout). (redacted).99.239 65232 -->
152.180.0.17 80 (0) : LWstate 0x9 LWFlags 0x45e007



However, I’ve only had about 10 of these type messages during a 1.5 hour
interval though the rate goes up during peak work hours (24 in 1.5 hr).  I
set memcap (at max value) in stream5_global to 1073741824, max_tcp 393216  and
stream_tcp5 timeout to 600.   To test the alerting, we downloaded an
executable file via web.  Snort on the appliance alerted but Snort on the
server did not.  There were no errors in Syslog at the time of the
download.  Our server has 4 GB main memory and 4 dual processors.  Help
please.



Frank

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: