-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathREADME.counts
217 lines (174 loc) · 8.09 KB
/
README.counts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
Snort does a lot of work and outputs some useful statistics when it is done.
Many of these are self-explanatory. The others are summarized below. This
does not include all possible output data, just the basics.
-----------------
Timing Statistics
-----------------
This section provides basic timing statistics. It includes total seconds and
packets as well as packet processing rates. The rates are based on whole
seconds, minutes, etc. and only shown when non-zero.
Example:
===============================================================================
Run time for packet processing was 175.856509 seconds
Snort processed 3716022 packets.
Snort ran for 0 days 0 hours 2 minutes 55 seconds
Pkts/min: 1858011
Pkts/sec: 21234
===============================================================================
-----------------
Packet I/O Totals
-----------------
This section shows basic packet acquisition and injection peg counts obtained
from the DAQ. If you are reading pcaps, the totals are for all pcaps combined,
unless you use --pcap-reset, in which case it is shown per pcap.
* Outstanding indicates how many packets are buffered awaiting processing. The
way this is counted varies per DAQ so the DAQ documentation should be
consulted for more info.
* Filtered packets are not shown for pcap DAQs.
* Injected packets are the result of active response which can be configured for
inline or passive modes.
Example:
===============================================================================
Packet I/O Totals:
Received: 3716022
Analyzed: 3716022 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
-------------------
Protocol Statistics
-------------------
Traffic for all the protocols decoded by Snort is summarized in the breakdown
section. This traffic includes internal "pseudo-packets" if preprocessors such
as frag3 and stream5 are enabled so the total may be greater than the number of
analyzed packets in the packet I/O section.
* Disc counts are discards due to basic encoding integrity flaws that prevents
Snort from decoding the packet.
* Other includes packets that contained an encapsulation that Snort doesn't
decode.
* S5 G 1/2 is the number of client/server sessions stream5 flushed due to cache
limit, session timeout, session reset.
Example:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 3722347 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 1782394 ( 47.884%)
Frag: 3839 ( 0.103%)
ICMP: 38860 ( 1.044%)
UDP: 137162 ( 3.685%)
TCP: 1619621 ( 43.511%)
IP6: 1781159 ( 47.850%)
IP6 Ext: 1787327 ( 48.016%)
IP6 Opts: 6168 ( 0.166%)
Frag6: 3839 ( 0.103%)
ICMP6: 1650 ( 0.044%)
UDP6: 140446 ( 3.773%)
TCP6: 1619633 ( 43.511%)
Teredo: 18 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 202 ( 0.005%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 202 ( 0.005%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 104840 ( 2.817%)
IPX: 60 ( 0.002%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 1385 ( 0.037%)
ICMP Disc: 0 ( 0.000%)
All Discard: 1385 ( 0.037%)
Other: 57876 ( 1.555%)
Bad Chk Sum: 32135 ( 0.863%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 1494 ( 0.040%)
S5 G 2: 1654 ( 0.044%)
Total: 3722347
===============================================================================
-----------------------------
Actions, Limits, and Verdicts
-----------------------------
Action and verdict counts show what Snort did with the packets it analyzed.
This information is only output in IDS mode (when snort is run with the -c
<conf> option).
* Alerts is the number of activate, alert, and block actions processed as
determined by the rule actions. Here block includes block, drop, and reject
actions.
Limits arise due to real world constraints on processing time and available
memory. These indicate potential actions that did not happen:
* Match Limit > 0 means that rule matches were not processed due to the
config detection: max_queue_events setting. The default is 5.
* Queue Limit > 0 means that events couldn't be stored in the event queue
due to the config event_queue: max_queue setting. The default is 8.
* Log Limit > 0 means that events were not alerted due to the
config event_queue: log setting. The default is 3.
* Event Limit > 0 means that events were not alerted due to event_filter
limits.
* Alert Limit > 0 means that events were not alerted because they already
were triggered on the session.
Verdicts are rendered by Snort on each packet:
* Allow = packets Snort analyzed and did not take action on.
* Block = packets Snort did not forward, e.g. due to a block rule. "Block" is
used instead of "Drop" to avoid confusion between dropped packets (those
Snort didn't actually see) and blocked packets (those Snort did not allow to
pass).
* Replace = packets Snort modified, for example, due to normalization or
replace rules. This can only happen in inline mode with a compatible DAQ.
* Whitelist = packets that caused Snort to allow a flow to pass w/o inspection
by any analysis program. Like blacklist, this is done by the DAQ or by Snort
on subsequent packets.
* Blacklist = packets that caused Snort to block a flow from passing. This is
the case when a block TCP rule fires. If the DAQ supports this in hardware,
no further packets will be seen by Snort for that session. If not, snort
will block each packet and this count will be higher.
* Ignore = packets that caused Snort to allow a flow to pass w/o inspection
by this instance of Snort. Like blacklist, this is done by the DAQ or by
Snort on subsequent packets.
* Int Blklst = packets that are GTP, Teredo, 6in4 or 4in6 encapsulated that
are being blocked. These packets could get the Blacklist verdict if
config tunnel_verdicts was set for the given protocol. Note that these
counts are output only if non-zero. Also, this count is incremented on
the first packet in the flow that alerts. The alerting packet and all
following packets on the flow will be counted under Block.
* Int Whtlst = packets that are GTP, Teredo, 6in4 or 4in6 encapsulated that
are being allowed. These packets could get the Whitelist verdict if
config tunnel_verdicts was set for the given protocol. Note that these
counts are output only if non-zero. Also, this count is incremented
for all packets on the flow starting with the alerting packet.
Example:
===============================================================================
Action Stats:
Alerts: 0 ( 0.000%)
Logged: 0 ( 0.000%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 3716022 (100.000%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================