Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort not reporting

From: timl () kulath demon co uk
Date: Sat, 12 Feb 2005 00:23:43 +0000
References: <20041214105236.42845.qmail () web20025 mail yahoo com>

(Sorry I can't get the refernces in the right place this time)

I too can't get snort to look at data on ppp0. (I am on Mac OS X)

I captured some of the traffic at the same time on tcpdump.
When I used the ethernet interface, I got some data captured by snort, as shown at the end.

-- I started snort:

[xxx-Computer:HenWen.app/Contents/macOS] tim% sudo ./snort -c ../Resources/snort.conf -i ppp0 -v
Password:
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface ppp0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding PPP on interface ppp0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ../Resources/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Using LOCAL time
273 Snort rules read...
273 Option Chains linked into 79 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.6 (Build 100)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
^C


-- it started OK
Feb 11 23:29:39 localhost sudo:      tim : TTY=ttyp1 ; PWD=/Applications/Henwen/HenWen.app/Contents/MacOS ; USER=root ; 
COMMAND=./snort -c ../Resources/snort.conf -i ppp0 -v
Feb 11 23:29:45 localhost kernel: ppp0: promiscuous mode enabled


-- I then captured traffic with tcpdump:

[xxx-Computer:~] tim% sudo tcpdump -i ppp00
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp00, link-type PPP (PPP), capture size 96 bytes
23:40:21.238519 IP lon1-punt3-7.mail.demon.net.20896 > kulath.demon.co.uk.smtp: S 516131141:516131141(0) win 49640 <mss 
1460,nop,nop,sackOK>
23:40:22.232427 IP kulath.demon.co.uk.49320 > cache-2.ns.demon.net.domain:  15117+ PTR? 170.242.217.194.in-addr.arpa. 
(46)
23:40:22.372707 IP cache-2.ns.demon.net.domain > kulath.demon.co.uk.49320:  15117 1/0/0 PTR[|domain]
23:40:23.381943 IP kulath.demon.co.uk.49321 > cache-2.ns.demon.net.domain:  31657+ PTR? 43.1.152.158.in-addr.arpa. (43)
23:40:23.511414 IP cache-2.ns.demon.net.domain > kulath.demon.co.uk.49321:  31657 1/0/0 PTR[|domain]
23:41:04.745821 IP lon1-punt3-7.mail.demon.net.21006 > kulath.demon.co.uk.smtp: S 631805582:631805582(0) win 49640 <mss 
1460,nop,nop,sackOK>
23:41:08.115454 IP lon1-punt3-7.mail.demon.net.21006 > kulath.demon.co.uk.smtp: S 631805582:631805582(0) win 49640 <mss 
1460,nop,nop,sackOK>
23:41:14.867773 IP lon1-punt3-7.mail.demon.net.21006 > kulath.demon.co.uk.smtp: S 631805582:631805582(0) win 49640 <mss 
1460,nop,nop,sackOK>
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

-- ifpw found lots of traffic:

Feb 11 23:30:11 localhost kernel: ipfw: 52009 Deny TCP 194.217.242.170:19764 158.152.182.179:25 in via ppp0
Feb 11 23:30:21 localhost last message repeated 2 times
Feb 11 23:31:05 localhost kernel: ipfw: 52009 Deny TCP 194.217.242.170:19868 158.152.182.179:25 in via ppp0
Feb 11 23:31:15 localhost last message repeated 2 times
Feb 11 23:31:41 localhost kernel: ipfw: 52009 Deny UDP 204.36.148.82:19248 158.152.182.179:1027 in via ppp0


-- then stopped snout:

===============================================================================
Snort analyzed 318 out of 318 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 0          (0.000%)          ALERTS: 0         
    UDP: 0          (0.000%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Wireless Stats:
Breakdown by type:
    Management Packets: 0          (0.000%)
    Control Packets:    0          (0.000%)
    Data Packets:       0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0         
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
  Frag2 memory faults: 0         
===============================================================================
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0         
          Stream flushes: 0         
           Segments used: 0         
   Stream4 Memory Faults: 0         
===============================================================================
Snort exiting



-- successful ethernet capture

Decoding Ethernet on interface en0

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.6 (Build 100)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
02/11-22:47:45.040436 169.254.91.223:5353 -> 224.0.0.251:5353
UDP TTL:255 TOS:0x18 ID:42742 IpLen:20 DgmLen:117
Len: 89
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/11-22:47:46.061987 169.254.91.223:5353 -> 224.0.0.251:5353
UDP TTL:255 TOS:0x18 ID:42743 IpLen:20 DgmLen:117
Len: 89
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/11-22:47:48.062187 169.254.91.223:5353 -> 224.0.0.251:5353
UDP TTL:255 TOS:0x18 ID:42813 IpLen:20 DgmLen:117
Len: 89
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/11-22:47:52.072224 169.254.91.223:5353 -> 224.0.0.251:5353
UDP TTL:255 TOS:0x18 ID:42814 IpLen:20 DgmLen:117
Len: 89
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: