Snort mailing list archives
Problems with eth1?
From: "Jason Smith" <jsmith () firstcellular com>
Date: Fri, 26 Oct 2001 10:34:58 -0500
Hello all, Here's the problem. I have a Linux box running Redhat 7.1 w/ 2.4.6. It has two nics both Intel eepro100's. They are both monitoring different segements of the network. One is on the inside of the firewall and one is on the outside. The problem interface is the outside one. I am getting no alerts haven't for the last week or so. I do have some simple rules that should be tripped every now and then but I'm not even getting those. The internal interface does log those rules so I know the traffic is there. The output below is from running snort -dev -i eth1. If I do this but on eth0 traffic just flies by. I'm thinking there is something wrong with the network card. Hopefully the output below helps. I have also checked the dmesg log, configured syslog to log all kernel messages to /var/log/kernel. And neither of these have logged anything suspicious. Any help is greatly appreciated. Also if you have any other questions let me know. Thanks Jason Smith <snip> 10/26-09:28:50.870406 ARP who-has 209.248.9.225 tell 209.248.9.227 10/26-09:35:49.786894 ARP who-has 209.248.9.237 tell 209.248.9.225 10/26-09:35:52.983387 ARP who-has 209.248.9.237 tell 209.248.9.225 10/26-09:36:39.085670 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0xF3 209.248.9.227:138 -> 209.248.9.239:138 UDP TTL:128 TOS:0x0 ID:55741 IpLen:20 DgmLen:229 Len: 209 11 02 C4 BE D1 F8 09 E3 00 8A 00 BB 00 00 20 45 .............. E 46 43 4E 45 4E 45 42 45 4A 45 4D 43 41 43 41 43 FCNENEBEJEMCACAC 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 ACACACACACACACA. 20 46 48 45 50 46 43 45 4C 45 48 46 43 45 50 46 FHEPFCELEHFCEPF 46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42 FFACACACACACACAB 4F 00 FF 53 4D 42 25 00 00 00 00 00 00 00 00 00 O..SMB%......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 E8 .....!.......... 03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01 .........!.V.... 00 00 00 02 00 32 00 5C 4D 41 49 4C 53 4C 4F 54 .....2.\MAILSLOT 5C 42 52 4F 57 53 45 00 0F 00 80 FC 0A 00 45 2D \BROWSE.......E- 4D 41 49 4C 00 00 00 00 00 00 00 00 00 00 04 00 MAIL............ 03 10 05 00 0F 01 55 AA 00 ......U.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:37:23.483031 ARP who-has 209.248.9.230 tell 209.248.9.227 10/26-09:37:38.825961 ARP who-has 209.248.9.225 tell 209.248.9.227 10/26-09:37:39.715834 ARP who-has 209.248.9.238 tell 209.248.9.225 10/26-09:37:40.202475 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0xF9 209.248.9.227:138 -> 209.248.9.239:138 UDP TTL:128 TOS:0x0 ID:58815 IpLen:20 DgmLen:235 Len: 215 11 02 C4 C0 D1 F8 09 E3 00 8A 00 C1 00 00 20 45 .............. E 46 43 4E 45 4E 45 42 45 4A 45 4D 43 41 43 41 43 FCNENEBEJEMCACAC 41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00 ACACACACACACAAA. 20 41 42 41 43 46 50 46 50 45 4E 46 44 45 43 46 ABACFPFPENFDECF 43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41 CEPFHFDEFFPFPACA 42 00 FF 53 4D 42 25 00 00 00 00 00 00 00 00 00 B..SMB%......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 11 00 00 27 00 00 00 00 00 00 00 00 00 E8 .....'.......... 03 00 00 00 00 00 00 00 00 27 00 56 00 03 00 01 .........'.V.... 00 01 00 02 00 38 00 5C 4D 41 49 4C 53 4C 4F 54 .....8.\MAILSLOT 5C 42 52 4F 57 53 45 00 0C 00 A0 BB 0D 00 57 4F \BROWSE.......WO 52 4B 47 52 4F 55 50 00 4A FC E1 77 40 A1 03 0A RKGROUP.J..w@... 00 10 00 80 68 FF 4B 02 45 2D 4D 41 49 4C 00 ....h.K.E-MAIL. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:37:43.035484 ARP who-has 209.248.9.238 tell 209.248.9.225 10/26-09:39:34.324639 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C 209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:23495 IpLen:20 DgmLen:78 Len: 58 C4 C4 01 10 00 01 00 00 00 00 00 00 20 46 48 45 ............ FHE 50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43 PFCELEHFCEPFFFAC 41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20 ACACACACACABL.. 00 01 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:39:35.072695 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C 209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:23751 IpLen:20 DgmLen:78 Len: 58 C4 C4 01 10 00 01 00 00 00 00 00 00 20 46 48 45 ............ FHE 50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43 PFCELEHFCEPFFFAC 41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20 ACACACACACABL.. 00 01 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:39:35.823741 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C 209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:24007 IpLen:20 DgmLen:78 Len: 58 C4 C4 01 10 00 01 00 00 00 00 00 00 20 46 48 45 ............ FHE 50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43 PFCELEHFCEPFFFAC 41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20 ACACACACACABL.. 00 01 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:39:39.329046 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C 209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:24263 IpLen:20 DgmLen:78 Len: 58 C4 C8 01 10 00 01 00 00 00 00 00 00 20 46 48 45 ............ FHE 50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43 PFCELEHFCEPFFFAC 41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20 ACACACACACABL.. 00 01 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:39:39.329456 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C 209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:24519 IpLen:20 DgmLen:78 Len: 58 C4 CC 01 10 00 01 00 00 00 00 00 00 20 46 48 45 ............ FHE 50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43 PFCELEHFCEPFFFAC 41 43 41 43 41 43 41 43 41 43 41 42 4D 00 00 20 ACACACACACABM.. 00 01 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:39:39.329871 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x10E 209.248.9.227:138 -> 209.248.9.239:138 UDP TTL:128 TOS:0x0 ID:24775 IpLen:20 DgmLen:256 Len: 236 11 02 C4 CE D1 F8 09 E3 00 8A 00 D6 00 00 20 45 .............. E 46 43 4E 45 4E 45 42 45 4A 45 4D 43 41 43 41 43 FCNENEBEJEMCACAC 41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00 ACACACACACACAAA. 20 46 48 45 50 46 43 45 4C 45 48 46 43 45 50 46 FHEPFCELEHFCEPF 46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 41 FFACACACACACACAA 41 00 FF 53 4D 42 25 00 00 00 00 18 03 00 00 00 A..SMB%......... 00 00 00 00 00 00 00 00 00 00 00 00 FE CA 00 00 ................ 00 00 11 00 00 36 00 02 00 00 00 00 00 02 00 FF .....6.......... FF FF FF 00 00 00 00 5C 00 36 00 5C 00 03 00 01 .......\.6.\.... 00 00 00 02 00 4D 00 5C 4D 41 49 4C 53 4C 4F 54 .....M.\MAILSLOT 5C 4E 45 54 5C 4E 45 54 4C 4F 47 4F 4E 00 07 00 \NET\NETLOGON... 45 2D 4D 41 49 4C 00 5C 4D 41 49 4C 53 4C 4F 54 E-MAIL.\MAILSLOT 5C 4E 45 54 5C 47 45 54 44 43 33 34 38 00 45 00 \NET\GETDC348.E. 2D 00 4D 00 41 00 49 00 4C 00 00 00 01 00 00 00 -.M.A.I.L....... FF FF FF FF .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:39:40.079727 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C 209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:25031 IpLen:20 DgmLen:78 Len: 58 C4 CC 01 10 00 01 00 00 00 00 00 00 20 46 48 45 ............ FHE 50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43 PFCELEHFCEPFFFAC 41 43 41 43 41 43 41 43 41 43 41 42 4D 00 00 20 ACACACACACABM.. 00 01 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-09:39:40.079758 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C 209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:25287 IpLen:20 DgmLen:78 Len: 58 C4 C8 01 10 00 01 00 00 00 00 00 00 20 46 48 45 ............ FHE 50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43 PFCELEHFCEPFFFAC 41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20 ACACACACACABL.. 00 01 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ </snip> <snip> Snort analyzed 95 out of 95 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 75 (78.947%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 20 (21.053%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 ============================================================================ === Snort received signal 2, exiting </snip> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with eth1? Jason Smith (Oct 26)
- <Possible follow-ups>
- RE: Problems with eth1? Ryan Hill (Oct 26)
- RE: Problems with eth1? Jason Smith (Oct 31)