Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » Unable to capture TCP Traffic alert

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Unable to capture TCP Traffic alert


Posted by Kelve on October 02, 2006 11:10:42

Hello,

I'm running snort 2.6 and barnyard .2 on SUSE Linux 10.1

I'm able to capture ICMP and UPD traffic alerts but not TCP.

These are the alert in my local.rules file

alert icmp any any -> any any (msg:"ICMP Test"; sid:10000001;)
alert udp any any -> any any (msg:"UDP Test"; sid:10000002;)
alert tcp any any -> any any (msg:"TCP Test"; sid:10000003;)


I have it log to both barnyard (MYSQL) and syslog.

this is what the logging option in my snort.conf look like:

output alert_syslog: LOG_AUTH LOG_ALERT

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
#include $RULE_PATH/local.rules


this is what the logging option in my barnyard.conf look like:

output log_acid_db: mysql, database snort, server localhost, user snort, password snortpassword, detail full


I can see the UDP and ICMP alert in both mysql and syslog but not TCP.

I did the tcpdump on the snort machine and able to see FTP, SSH, WEB traffic hitting it but there is no alert generaged.

Please help.........


Posted by Kelve on October 02, 2006 11:13:10

Oh I forgot. This is the command I'm running for snort:

/usr/local/bin/snort -Dq -u snort -g snort -c /etc/snort/snort.conf -I



Posted by akeeton on October 03, 2006 08:47:56

This is most likely an issue with strict aliasing in GCC 4.x.x.

Using -O2 in GCC 4.x.x breaks our TCP checksumming. Using -fno-strict-aliasing fixes the problem.

Try running snort with "-k none", which causes Snort to ignore failed checksums. If that fixes it, you can recompile with -fno-strict-aliasing in your CFLAGS to get rid of the problem.

Alternatively, you can try the latest beta or check out a copy from CVS which disables strict aliasing in the makefile is you're using a 4.x.x compiler.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.