Snort mailing list archives
Re: log response pkts
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 3 Jul 2012 10:19:25 -0400
What version of Snort are you using? What is your output method? What does your sample.conf say? On Mon, Jul 2, 2012 at 7:45 AM, Vinayak Malshetty <vinay.c7 () gmail com>wrote:
Hi, please anyone help me in resolving the below problem I am running snort in IDS mode, to capture GTPv1 echo request and response packets, but I am seeing that only echo request packets are captured below is the topology (Linux-1) eth4 ----------------------------eth4(Linux-2) 70.5.1.1 70.6.1.1 Linux-2 is sending GTP echo request and Linux-1 is responding but in the log only GTP request is logged Running snort as “snort -i eth4 -c GTP_Config/sample.conf” on Linux-1 machine I have created rule to log gtp packets as l*og udp 70.5.1.1 2123 <> 70.6.1.1 2123 \* *(gid:143;sid:10000010)* But when I am running snort in sniffer mode I am able to see both request and response on the console as below Commencing packet processing (pid=15788) 07/01-04:32:42.714873 70.6.1.1:2123 -> 70.5.1.1:2123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF Len: 12 32 01 00 04 00 00 00 00 6C 00 00 00 2.......l... *ß Request * =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-04:32:42.714878 70.6.1.1:2123 -> 70.5.1.1:2123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:139 DF Len: 111 32 10 00 67 00 00 00 00 6C 01 00 00 02 42 00 01 2..g....l....B.. 21 43 65 87 F9 0E 1B 0F 01 10 00 00 00 01 11 00 !Ce............. 00 00 01 14 00 1A 08 00 80 00 02 F1 21 83 00 08 ............!... 69 6E 74 65 72 6E 65 74 84 00 15 80 C0 23 11 01 internet.....#.. 01 00 11 03 6D 69 67 08 68 65 6D 6D 65 6C 69 67 ....mig.hemmelig 85 00 04 46 06 01 01 85 00 04 46 06 01 01 86 00 ...F......F..... 07 91 64 07 12 32 54 F6 87 00 04 00 0B 92 1F ..d..2T........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-04:32:42.714915 70.5.1.1:2123 -> 70.6.1.1:2123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:42 DF Len: 14 32 02 00 06 00 00 00 00 6C 00 00 00 0E 01 2.......l..... *àResponse * =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-04:32:42.714995 70.5.1.1:2123 -> 70.6.1.1:2123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:114 DF Len: 86 32 11 00 4E 00 00 00 01 6C 01 00 00 01 80 08 00 2..N....l....... 0E 01 10 00 00 00 01 11 00 00 00 01 7F 00 00 00 ................ 01 80 00 06 F1 21 50 00 00 02 84 00 14 80 80 21 .....!P........! 10 02 00 00 10 81 06 00 00 00 00 83 06 00 00 00 ................ 00 85 00 04 46 05 01 01 85 00 04 46 05 01 01 87 ....F......F.... 00 04 00 0B 92 1F ...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= Many Thanks, -vinayak Please visit http://blog.snort.org for the latest news about Snort!
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- log response pkts Vinayak Malshetty (Jul 02)
- Re: log response pkts Joel Esler (Jul 03)