Re: log response pkts

[Joel Esler <jesler () sourcefire com>]

What version of Snort are you using?  What is your output method?  What
does your sample.conf say?

On Mon, Jul 2, 2012 at 7:45 AM, Vinayak Malshetty <vinay.c7 () gmail com>wrote:

> Hi,
>
> please  anyone help me in  resolving the below problem
>
>
>
> I am running snort in IDS mode, to capture GTPv1 echo request and response
> packets, but I am seeing that only echo request packets are captured below
> is the topology
>
>
>
> (Linux-1) eth4 ----------------------------eth4(Linux-2)
>
> 70.5.1.1                                                       70.6.1.1
>
> Linux-2 is sending GTP echo request and Linux-1 is responding but in the
> log only GTP request is logged
>
>
> Running snort as “snort -i eth4 -c GTP_Config/sample.conf” on Linux-1
> machine
>
> I have created rule to log gtp packets as
>
> l*og udp 70.5.1.1 2123 <> 70.6.1.1 2123 \*
>
> *(gid:143;sid:10000010)*
>
>
>
> But when I am running snort in sniffer mode I am able to see both request
> and response on the console as below
>
> Commencing packet processing (pid=15788)
>
> 07/01-04:32:42.714873 70.6.1.1:2123 -> 70.5.1.1:2123
>
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
>
> Len: 12
>
> 32 01 00 04 00 00 00 00 6C 00 00 00              2.......l...   *ß
> Request *
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 07/01-04:32:42.714878 70.6.1.1:2123 -> 70.5.1.1:2123
>
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:139 DF
>
> Len: 111
>
> 32 10 00 67 00 00 00 00 6C 01 00 00 02 42 00 01  2..g....l....B..
>
> 21 43 65 87 F9 0E 1B 0F 01 10 00 00 00 01 11 00  !Ce.............
>
> 00 00 01 14 00 1A 08 00 80 00 02 F1 21 83 00 08  ............!...
>
> 69 6E 74 65 72 6E 65 74 84 00 15 80 C0 23 11 01  internet.....#..
>
> 01 00 11 03 6D 69 67 08 68 65 6D 6D 65 6C 69 67  ....mig.hemmelig
>
> 85 00 04 46 06 01 01 85 00 04 46 06 01 01 86 00  ...F......F.....
>
> 07 91 64 07 12 32 54 F6 87 00 04 00 0B 92 1F     ..d..2T........
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 07/01-04:32:42.714915 70.5.1.1:2123 -> 70.6.1.1:2123
>
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:42 DF
>
> Len: 14
>
> 32 02 00 06 00 00 00 00 6C 00 00 00 0E 01        2.......l..... *àResponse
> *
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 07/01-04:32:42.714995 70.5.1.1:2123 -> 70.6.1.1:2123
>
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:114 DF
>
> Len: 86
>
> 32 11 00 4E 00 00 00 01 6C 01 00 00 01 80 08 00  2..N....l.......
>
> 0E 01 10 00 00 00 01 11 00 00 00 01 7F 00 00 00  ................
>
> 01 80 00 06 F1 21 50 00 00 02 84 00 14 80 80 21  .....!P........!
>
> 10 02 00 00 10 81 06 00 00 00 00 83 06 00 00 00  ................
>
> 00 85 00 04 46 05 01 01 85 00 04 46 05 01 01 87  ....F......F....
>
> 00 04 00 0B 92 1F                                ......
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
> Many Thanks,
>
> -vinayak
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!