Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 3 Config File Question (3)

From: Russ via Snort-users <snort-users () lists snort org>
Date: Tue, 25 Jul 2017 00:28:29 -0400
Need more data to help you. Please try a simple test and send the shutdown stats. Also, until you get things going, you might want to try -A cmg instead of unified2. The text output is a little easier to deal with. Since you have DHCP you may want to disable 116:412 which you show below. 

On 7/24/17 11:28 PM, Jim Campbell wrote:
I should have added that the Snort IPS is positioned between the DSL modem and the firewall. I just discovered that this is a normal DHCP request. So even though it looks strange it isn't. I still don't understand why Snort is choking off my connection to the internet 

On 7/24/2017 8:50 PM, Jim Campbell wrote:
Problems. While Snort is happy with the new Rules file it is also keeping me from doing anything useful on the internet. Also, the packets it is logging to the Unified2 log are strange. For example: 

(Event)
sensor id: 0 event id: 133 event second: 1500926568 event microsecond: 248613 
        sig id: 412     gen id: 116     revision: 1 classification: 29
priority: 3 ip source: 0.0.0.0 ip destination: 255.255.255.255 src port: 68 dest port: 67 ip_proto: 17 impact_flag: 0 blocked: 0 
        mpls label: 0   vlan id: 0      policy id: 0    appid:

Packet
        sensor id: 0    event id: 133   event second: 1500926568
        packet second: 1500926568       packet microsecond: 248613
        linktype: 1     packet_length: 342
[    0] FF FF FF FF FF FF B0 7F B9 1A 2E FF 08 00 45 10 ..............E.
[   16] 01 48 00 00 00 00 80 11 39 96 00 00 00 00 FF FF .H......9.......
[   32] FF FF 00 44 00 43 01 34 6B 20 01 01 06 00 83 96 ...D.C.4k ......
[   48] 56 5B 00 16 00 00 00 00 00 00 00 00 00 00 00 00 V[..............
[   64] 00 00 00 00 00 00 B0 7F B9 1A 2E FF 00 00 00 00 ................
[   80] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[   96] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  112] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  144] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  256] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  272] 00 00 00 00 00 00 63 82 53 63 35 01 01 37 07 01 ......c.Sc5..7..
[  288] 1C 02 03 0F 06 0C FF 00 00 00 00 00 00 00 00 00 ................
[  304] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  320] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[  336] 00 00 00 00 00 00                                ......
I'm not accustomed to this format and my Ethernet tap is broken. Until I get the parts I have on order to build a new tap so I can get Wireshark on the job I'm going to have to work on other things. Once I have the new tap built I will put Snort back online and share what I find. 

Jim



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news! 

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: