Snort mailing list archives

Capturing incoming packets?

From: guano () hackerfactor com
Date: Fri, 13 Jun 2003 16:53:41 -0600 (MDT)

Hi,

I hope this is the appropriate forum.

I'm setting up a new net work configuration.
<ASCII-ART>

           /---Linux-----------\
           |                   |
Internet--hub--------firewall--+---LAN

</ASCII-ART>

My Linux box is dual-homed.  The internal network interface works
as a normal interface.  The external interface has un unroutable IP
address and a network connection that does not permit transmitting.
This way, I can see everything outside with no worry about something
trying to come inside.

Is there some way to configure snort to capture all packets that do not
originate from me?

For example, a TCP session normally looks like:
  SYN ->
      <- ACK
  SYN-ACK ->
      <- data
  ACK ->
  etc.
I want to capture the entire session, only when the initial SYN did not
come from me.

For example:
  not host myhostname
  -- this shows my half of the communications.
     It does capture incoming SYN requests, but it also captures every
     web reply, FTP reply, etc.  This isn't what I want.

I really want to capture "everything that is initiated from the
outside world".  Including UDP, TCP, and ICMP (ARP isn't important to me).
Basically, I want to capture everything that is not part of a session
initiated by me.
  - Keeping track of TCP sessions is feasible.
  - Keeping track of UDP and ICMP sessions (since they are stateless) is
    a little more difficult.  I'm thinking it would keep track of host/port
    in a finite timeframe.

Is this possible already?

                                        -Guano



-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Capturing incoming packets? guano (Jun 13)
- Re: Capturing incoming packets? Erek Adams (Jun 13)
  - Re: Capturing incoming packets? guano (Jun 13)
    - Re: Capturing incoming packets? Erek Adams (Jun 14)
    - Re: Capturing incoming packets? guano (Jun 14)
    - Re: Capturing incoming packets? Erek Adams (Jun 16)