Hi! First of all thank you for your preocupation, this is the
information that you ask for.
The email is a little bit large, I hope it doesn't bore you.
What version of Snort are you running?
What version of libpcap are you running?
Please cut and paste your command line here.
Please cut and paste your snort.conf here (please remove anything
identifiable as internal.. eg. passwords, home_net..etc.)
Please tell us about your network configuration
Please tell us your hardware configuration.
Thank you Joel and rmkml for your desinterested help
The next lines are the response to this questions:
•Configuration del SNORT: dpkg –l | grep snort
Version Snort: 2.3.3-2.1
•Version kernel: uname –a
Version kernel: 2.6.13.4
•Version libpcap: dpkg –l | grep libpcap
ii libpcap0.7 0.7.2-7 System interface for user-lev
ii libpcap0.8 0.9.4-1 System interface for user-lev
But I really don´t know what of both is Snort using…and also don´t
know how to change it….
•Command line of Snort:
sudo snort -b -i eth1 -c /etc/snort/snort.conf -l /etc/snort/ santi_prueba
•Snort.conf
I have a conventional configuration file, I will send you all of it
unless the comments with # of the conventional snort.conf that
becomes by default.
#--------------------------------------------------
# $Id: snort.conf,v 1.144.2.11 2005/04/22 19:15:49 jhewlett Exp $
#
###################################################
# Step #1: Set the network variables:
var HOME_NET any #it is written like this because I want to analyze
all the packets that I replay from the source
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
# config detection: search-method lowmem
###################################################
# Step #2: Configure preprocessors
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports {
80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor xlink2state: ports { 25 691 }
####################################################################
# Step #3: Configure output plugins
output log_tcpdump: tcpdump.log
include classification.config
include reference.config
####################################################################
# Step #4: Configure snort with config statements
#
# See the snort manual for a full set of configuration references
config flowbits_size: 256
¿Here do I have to write something for the memcap?
####################################################################
# Step #5: Customize your rule set
#
include $RULE_PATH/p2p.rules
include threshold.conf
•Network configuration: My network configuration is very special, I
only have two computers, that are connected by eth1, the Ethernet card
is Gb Ethernet card. I replay some files from one to another and I
analyze how many packets are dropped in the destination computer.
That's my main problem, as I increase replaying rate, the packets that
are dropped increase also amazingly and I don´t know why this drop
number increases so much.
•Hardware configuration:
• command lspci –v
RAID bus controller: Silicon Image, Inc. (formerly CMD Technology Inc)
SiI 3114 [SATALink/SATARaid] Serial ATA Controller (rev 02)
Subsystem: Asustek Computer, Inc.: Unknown device 8167
Flags: bus master, 66MHz, medium devsel, latency 32, IRQ 5
I/O ports at 9000 [size=8]
I/O ports at 9400 [size=4]
I/O ports at 9800 [size=8]
I/O ports at 9c00 [size=4]
I/O ports at a000 [size=16]
Memory at d9004000 (32-bit, non-prefetchable) [size=1K]
Expansion ROM at 40000000 [disabled] [size=512K]
Ethernet controller: Marvell Technology Group Ltd. Yukon Gigabit
Ethernet 10/100/1000Base-T Adapter (rev 13)
Subsystem: Asustek Computer, Inc.: Unknown device 811a
Flags: bus master, 66MHz, medium devsel, latency 32, IRQ 3
Memory at d9000000 (32-bit, non-prefetchable) [size=16K]
I/O ports at a400 [size=256]
Expansion ROM at 40080000 [disabled] [size=128K]
•command cat /proc/….
cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 15
model : 47
model name : AMD Athlon(tm) 64 Processor 3500+
stepping : 2
cpu MHz : 2211.520
cache size : 512 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
meminfo
MemTotal: 905476 kB
MemFree: 360080 kB
Buffers: 127472 kB
Cached: 255772 kB
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
