Snort mailing list archives
Re: snort not reporting
From: timl () kulath demon co uk
Date: Sat, 12 Feb 2005 00:23:43 +0000
References: <20041214105236.42845.qmail () web20025 mail yahoo com> (Sorry I can't get the refernces in the right place this time) I too can't get snort to look at data on ppp0. (I am on Mac OS X) I captured some of the traffic at the same time on tcpdump. When I used the ethernet interface, I got some data captured by snort, as shown at the end. -- I started snort: [xxx-Computer:HenWen.app/Contents/macOS] tim% sudo ./snort -c ../Resources/snort.conf -i ppp0 -v Password: Running in IDS mode Log directory = /var/log/snort Initializing Network Interface ppp0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding PPP on interface ppp0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file ../Resources/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Using LOCAL time 273 Snort rules read... 273 Option Chains linked into 79 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.6 (Build 100) By Martin Roesch (roesch () sourcefire com, www.snort.org) ^C -- it started OK Feb 11 23:29:39 localhost sudo: tim : TTY=ttyp1 ; PWD=/Applications/Henwen/HenWen.app/Contents/MacOS ; USER=root ; COMMAND=./snort -c ../Resources/snort.conf -i ppp0 -v Feb 11 23:29:45 localhost kernel: ppp0: promiscuous mode enabled -- I then captured traffic with tcpdump: [xxx-Computer:~] tim% sudo tcpdump -i ppp00 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp00, link-type PPP (PPP), capture size 96 bytes 23:40:21.238519 IP lon1-punt3-7.mail.demon.net.20896 > kulath.demon.co.uk.smtp: S 516131141:516131141(0) win 49640 <mss 1460,nop,nop,sackOK> 23:40:22.232427 IP kulath.demon.co.uk.49320 > cache-2.ns.demon.net.domain: 15117+ PTR? 170.242.217.194.in-addr.arpa. (46) 23:40:22.372707 IP cache-2.ns.demon.net.domain > kulath.demon.co.uk.49320: 15117 1/0/0 PTR[|domain] 23:40:23.381943 IP kulath.demon.co.uk.49321 > cache-2.ns.demon.net.domain: 31657+ PTR? 43.1.152.158.in-addr.arpa. (43) 23:40:23.511414 IP cache-2.ns.demon.net.domain > kulath.demon.co.uk.49321: 31657 1/0/0 PTR[|domain] 23:41:04.745821 IP lon1-punt3-7.mail.demon.net.21006 > kulath.demon.co.uk.smtp: S 631805582:631805582(0) win 49640 <mss 1460,nop,nop,sackOK> 23:41:08.115454 IP lon1-punt3-7.mail.demon.net.21006 > kulath.demon.co.uk.smtp: S 631805582:631805582(0) win 49640 <mss 1460,nop,nop,sackOK> 23:41:14.867773 IP lon1-punt3-7.mail.demon.net.21006 > kulath.demon.co.uk.smtp: S 631805582:631805582(0) win 49640 <mss 1460,nop,nop,sackOK> ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel -- ifpw found lots of traffic: Feb 11 23:30:11 localhost kernel: ipfw: 52009 Deny TCP 194.217.242.170:19764 158.152.182.179:25 in via ppp0 Feb 11 23:30:21 localhost last message repeated 2 times Feb 11 23:31:05 localhost kernel: ipfw: 52009 Deny TCP 194.217.242.170:19868 158.152.182.179:25 in via ppp0 Feb 11 23:31:15 localhost last message repeated 2 times Feb 11 23:31:41 localhost kernel: ipfw: 52009 Deny UDP 204.36.148.82:19248 158.152.182.179:1027 in via ppp0 -- then stopped snout: =============================================================================== Snort analyzed 318 out of 318 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 =============================================================================== Snort exiting -- successful ethernet capture Decoding Ethernet on interface en0 --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.6 (Build 100) By Martin Roesch (roesch () sourcefire com, www.snort.org) 02/11-22:47:45.040436 169.254.91.223:5353 -> 224.0.0.251:5353 UDP TTL:255 TOS:0x18 ID:42742 IpLen:20 DgmLen:117 Len: 89 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/11-22:47:46.061987 169.254.91.223:5353 -> 224.0.0.251:5353 UDP TTL:255 TOS:0x18 ID:42743 IpLen:20 DgmLen:117 Len: 89 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/11-22:47:48.062187 169.254.91.223:5353 -> 224.0.0.251:5353 UDP TTL:255 TOS:0x18 ID:42813 IpLen:20 DgmLen:117 Len: 89 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/11-22:47:52.072224 169.254.91.223:5353 -> 224.0.0.251:5353 UDP TTL:255 TOS:0x18 ID:42814 IpLen:20 DgmLen:117 Len: 89 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort not reporting timl (Feb 11)