Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » Is it possible Snort can miss detecting an interesting packet?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Is it possible Snort can miss detecting an interesting packet?


Posted by johnnydepp74 on October 13, 2006 19:02:06

Hi,

Is it possible Snort can miss detecting an interesting packet because I ran nmap twice within 10 secs i.e. one immediately after another and snort seems to pickup only packets from first nmap execution, it didn't log the second nmap execution.

I installed barnyard 0.2.0 and snort 2.6, so I ran snort with the following command:

# /usr/local/bin/snort -de -c /etc/snort/snort.conf -i eth0 -l /var/log/snort

where writes to snort.log. file in /var/log/snort/ folder.

I ran barnyard:

# /usr/local/bin/barnyard -d /var/log/snort/ -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map –f snort.log -L /var/log/snort/output -p /etc/snort/classification.config

barnyard is writing to /var/log/snort/output/logdump.ids file from the snort.log. file.

ls -l /var/log/snort/ shows that snort.log. filesize only increase once if I ran nmap twice within say 10 secs.

Funny, snort didnt say it dropped any packets. Thanks.

Posted by duh on October 16, 2006 06:27:23

Are you going through a firewall or NAT with NMAP? Sometimes Cisco PIX's will not let connections go through on NATs, under certain circumstances.

Posted by johnnydepp74 on October 16, 2006 07:17:27

Hi duh,

I am using a local cisco switch with one "attacker" and one "victim" connected to it where the victim is also the snort sensor.
I just carried out further test just now...hmmm.. there seems to be a pattern. I nmap from PC A (attacker) to PC B (victim).

1st nmap -> snort picked up
2nd nmap (immediately after 1st) -> snort didnt pick up
3rd nmap (immediately after 2nd) -> didnt pick up
4th nmap (immediately after 3rd) -> snort picked up again

repeated the same test, seems to be at the 4th or 5th attempt, only then the sensor will log the packet again.

goodness, is there some sort of settings i may have missed out ?

Rgds
John

Posted by duh on October 17, 2006 07:01:04

Does snort show any outstanding packets? What nmap speed are you using? Does slowing down the scan itself change the results?

Posted by johnnydepp74 on October 19, 2006 05:55:57

Oooo..

Outstanding packets yes, dropped packets no, and I get confused between the term outstanding and dropped packets. what's the diff ?

and how do i check what's my nmap speed and I dun think slowing down will help becoz i've read somewhere that the reason snort doesnt report duplicate alerts is to prevent the sudden large increase in size of the alert logs.

Posted by duh on October 19, 2006 07:59:42

Outstanding means they are still in the buffer, and havent been gotten to.
Dropped means just that, they were not checked and just dropeed.

if you are using the nmap gui, the Timing tab has a drop down for speed/throttle.
At the command line do a -TX where X is a number from 0 to 5. 5 being the fastest, 0 being the slowest.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.