Snort mailing list archives
Re: snort-inline and iptables INPUT chain
From: Laurent Haond <lhaond () bearstech com>
Date: Wed, 02 Mar 2005 20:16:38 +0100
Will Metcalf a écrit :
If you start snort with snort -Q -v -c /etc/snort/snort.confdo you see any traffic? Regards, Will
Sure i see some traffic :Here are tethereal captures (done on 192.168.0.2 which the ssh client with NO firewall):
=> case 1 ssh establishing WITHOUT snort-inline / queue : Capturing on eth00.000000 192.168.0.1 -> 192.168.0.2 TCP 32859 > 22 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=567646 TSER=0 WS=0 0.000422 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=583170 TSER=567646 WS=0 0.000456 192.168.0.1 -> 192.168.0.2 TCP 32859 > 22 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=567647 TSER=583170
0.091878 192.168.0.2 -> 192.168.0.1 SSH Server Protocol: SSH-2.0-OpenSSH0.091892 192.168.0.1 -> 192.168.0.2 TCP 32859 > 22 [ACK] Seq=1 Ack=25 Win=5840 Len=0 TSV=567656 TSER=583180
0.091949 192.168.0.1 -> 192.168.0.2 SSH Client Protocol: SSH-2.0-OpenSSH0.092158 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=25 Ack=42 Win=5792 Len=0 TSV=583180 TSER=567656
0.092166 192.168.0.1 -> 192.168.0.2 SSHv2 Client: Key Exchange Init0.092429 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=25 Ack=650 Win=6688 Len=0 TSV=583180 TSER=567656
0.096161 192.168.0.2 -> 192.168.0.1 SSHv2 Server: Key Exchange Init0.096229 192.168.0.1 -> 192.168.0.2 SSHv2 Client: Diffie-Hellman GEX Request 0.112155 192.168.0.2 -> 192.168.0.1 SSHv2 Server: Diffie-Hellman Key Exchange Reply 0.113776 192.168.0.1 -> 192.168.0.2 SSHv2 Client: Diffie-Hellman GEX Init 0.150941 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=785 Ack=818 Win=7904 Len=0 TSV=583186 TSER=567658 0.253657 192.168.0.2 -> 192.168.0.1 SSHv2 Server: Diffie-Hellman GEX Reply
0.255864 192.168.0.1 -> 192.168.0.2 SSHv2 Client: New Keys0.256059 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=1249 Ack=834 Win=7904 Len=0 TSV=583196 TSER=567672 0.256068 192.168.0.1 -> 192.168.0.2 SSHv2 Encrypted request packet len=48 0.256240 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=1249 Ack=882 Win=7904 Len=0 TSV=583196 TSER=567672 0.256615 192.168.0.2 -> 192.168.0.1 SSHv2 Encrypted response packet len=48 0.256922 192.168.0.1 -> 192.168.0.2 SSHv2 Encrypted request packet len=64 0.258581 192.168.0.2 -> 192.168.0.1 SSHv2 Encrypted response packet len=80 0.258646 192.168.0.1 -> 192.168.0.2 SSHv2 Encrypted request packet len=528 0.260759 192.168.0.2 -> 192.168.0.1 SSHv2 Encrypted response packet len=80 0.260799 192.168.0.1 -> 192.168.0.2 SSHv2 Encrypted request packet len=96 0.261335 192.168.0.2 -> 192.168.0.1 SSHv2 Encrypted response packet len=80 0.300461 192.168.0.1 -> 192.168.0.2 TCP 32859 > 22 [ACK] Seq=1570 Ack=1537 Win=7904 Len=0 TSV=567677 TSER=583197
so ok it works normally... => case 2: ssh establishing WITH snort-inlie /queue : Capturing on eth00.000000 192.168.0.1 -> 192.168.0.2 TCP 32862 > 22 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=599536 TSER=0 WS=0 0.000557 192.168.0.2 -> 192.168.0.1 TCP 22 > 32862 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=615058 TSER=599536 WS=0 0.000577 192.168.0.1 -> 192.168.0.2 TCP 32862 > 22 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=599536 TSER=615058
then nothing more is received... But on 192.168.0.1 (snort box using snort -Q -v -c /etc/snort/snort.conf) I see traffic from 192.168.0.2:22 -> 192.168.0.1:32862 after that... But this traffic is never received by 192.168.0.1 !! Regards Laurent ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-inline and iptables INPUT chain Laurent Haond (Feb 28)
- Re: snort-inline and iptables INPUT chain Victor Julien (Feb 28)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 01)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 01)
- Re: snort-inline and iptables INPUT chain Victor Julien (Feb 28)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)