----- Original Message -----
From: "Richard Bejtlich" <taosecurity@gmail.com>
To: <snort-users@lists.sourceforge.net>
Sent: Wednesday, October 26, 2005 4:06 AM
Subject: Re: [Snort-users] Quick questions about recieved packets
Joseph Nicholson wrote:
I see that snort dropped 179457 packets because it couldn't process them.
Snort received 186246 packets
Analyzed: 6789(3.645%)
Dropped: 179457(96.355%)
My gut instinct is telling me that it dropped 179457 packets because it
felt there was no threat from them and that the 6789 it analyzed looked
suspicious.
Hi Joseph,
You have a serious problem with your Snort deployment. The packets
Snort dropped were never inspected, period.
Can you describe your configuration? Are you sending Snort alerts
directly to a database, without Barnyard? Are you running any odd
rules?
Another thing to consider is the settings on the NIC in the snort device
(assume it's a linux box) and the settings on the SPAN port, you will want
to set the NIC in the snort device to 10/full, 100/full, or 1000/full
(mii-tool or eth-tool as root under linux will give you information as to
what the current settings on the NIC for the snort side is set at). Also
make the SPAN port on the catalyst 10/full, 100/full, or 1000/full (that
should be checked before making any funky changes to snort configuration,
IMO).
Bill
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
