Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Quick questions about recieved packets

from [Murali Raju] Network Security [Permanent Link]
Subject: Re: [Snort-users] Quick questions about recieved packets
Date: Wed, 26 Oct 2005 09:38:01 -0400 
Hi Joesph,
Perhaps consider using a different libpcap if you are using Linux? -->
http://public.lanl.gov/cpw/

Cheers,

_Raju

On 10/26/05, Joseph Nicholson <wjnicholson@gmail.com> wrote:


I was afraid of that.
 I have snort plugged into a Cisco 3560G Switch on a mirrored port. I am
mirroring 10 other ports on the switch currently. This is my core switch and
brings about 5 different network segments together. I am using the Official
Snort Rules and the Bleeding Snort Rules. Snort is setup to kick out the
Alerts via Syslog. The local Syslog function in Linux is setup to send the
Alerts to a Syslog appliance that parses all of my logs for me.
 For testing I setup Snort to output Alerts via unified logging and that
didn't help any. I currently have both Tx and Rx being mirrored to my
monitoring port. I tried just Tx and just Rx and got the same result. The
monitor port is a Gigabit port and the monitoring ethernet port is running
at a Gigabit also. On the linux appliance that port is running in
promiscuous mode and has no IP. I have a management interface on the box
also that I use to send the syslog files across and that I log into to
manage the box.
 Any thoughts or suggestions would be appreciated. This is the first
production Sensor I have setup. All my testing sensors apparently didn't
have enough traffic being pushed at them.

 On 10/26/05, Richard Bejtlich <taosecurity@gmail.com> wrote:


Joseph Nicholson wrote:


I see that snort dropped 179457 packets because it couldn't process

them.

Snort received 186246 packets
Analyzed: 6789(3.645%)
Dropped: 179457(96.355%)
My gut instinct is telling me that it dropped 179457 packets because

it

felt there was no threat from them and that the 6789 it analyzed

looked

suspicious.


Hi Joseph,

You have a serious problem with your Snort deployment. The packets
Snort dropped were never inspected, period.

Can you describe your configuration? Are you sending Snort alerts
directly to a database, without Barnyard? Are you running any odd
rules?

Sincerely,

Richard
http://www.taosecurity.com





--
Joseph Nicholson





--
May the packets be with you.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Quick questions about recieved packets, Joseph Nicholson
Next by Date:  RE: [Snort-users] Quick questions about recieved packets, Joshua Berry
Previous by Thread:  Re: [Snort-users] Quick questions about recieved packets, Joseph Nicholson
Next by Thread:  Re: [Snort-users] Quick questions about recieved packets, Bill Parker
Indexes:  [Date] [Thread] [Top] [All Lists]