Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort not seeing udp through ppp0?

From: John Sage <jsage () finchhaven com>
Date: Mon, 21 May 2001 23:41:13 -0700
I'm thinking that snort is not seeing udp, but only tcp and icmp, when looking at ppp0... 

Here's what I'm seeing:

This is xntpd talking to a timeserver via udp:

tcpdump -vv -i ppp0:
23:10:56.065915 < 207.202.190.162.ntp > 12.82.128.140.ntp: v3 server strat 2 poll 10 prec -16 dist 0.054214 disp 0.029846 ref 204.123.2.5@3199499888.680651009 orig 3199500655.815912246 rec +0.124780751 xmt +0.125273749 (ttl 49, id 44530) 

Then query snort:

# snort -dv -r "snort-0521 () 2242 log" udp port 123 |more

Snort processed 0 packets.
Breakdown by protocol:                Action Stats:

    TCP: 0          (0.000%)          ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0


And this is a whois query via tcp:

tcpdump -vv -i ppp0:
23:14:51.179084 < 192.149.252.22.whois > 12.82.128.140.61779: . 763:763(0) ack 17 win 10136 <nop,nop,timestamp 238692337 272116656> (DF) (ttl 239, id 33774) 

Then query snort:

# snort -dv -r "snort-0521 () 2242 log" tcp port 43 |more

05/21-22:59:31.154608 192.168.1.5:2042 -> 192.149.252.21:43
TCP TTL:64 TOS:0x0 ID:56545 IpLen:20 DgmLen:60 DF
******S* Seq: 0xA20E3D7F  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 272024672 0 NOP WS: 0

Snort processed 24 packets.
Breakdown by protocol:                Action Stats:

    TCP: 24         (100.000%)         ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0


And it's seeing icmp:

tcpdump -vv -i ppp0:
23:26:34.848521 < 216.32.192.136 > 12.82.128.140: icmp: echo reply (ttl 242, id 
16173)

snort query:

05/21-23:26:44.860006 216.32.192.136 -> 192.168.1.5
ICMP TTL:241 TOS:0x0 ID:17321 IpLen:20 DgmLen:84
Type:0  Code:0  ID:10333  Seq:5120  ECHO REPLY
AA 06 0A 3B 3D C0 09 00 08 09 0A 0B 0C 0D 0E 0F  ...;=...........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

Snort processed 227 packets.
Breakdown by protocol:                Action Stats:

    TCP: 0          (0.000%)          ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 227        (100.000%)         PASSED: 0


Snort command line:

19007 tty4     S      0:00 /usr/bin/snort -b -l /var/log/snort/


and it's clearly working:

[toot@sparky /var/log/snort]# ls -lat
total 180
-rw-------    1 root     root       179085 May 21 23:18 snort-0521 () 2242 log
drwxr-xr-x    2 root     root         1024 May 21 22:42 .
drwxr-xr-x   13 root     root         3072 May 21 04:02 ..
[toot@sparky /var/log/snort]#



What am I missing?

Thnx..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: