Snort mailing list archives
Re: Problem with acquiring traffic
From: Alex Adamos <alexthakidadam () hotmail com>
Date: Sun, 24 Feb 2013 19:46:34 +0200
Date: Sat, 23 Feb 2013 14:12:43 -0500 From: wkitty42 () windstream net To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Problem with acquiring traffic On 2/23/2013 13:58, Alex Adamos wrote:Hello!! i wrote my own preprocessor to track flows to a webserver and determine whether the server is under a slow http DoS attack. Now i want to test my preprocessor and see "how many fish i can get" (greek one, :p)!! I've installed Snort in an Ubuntu virtualBox Guest (the Host is a Windows7). To automate the tests i wrote a bash script that every time starts Snort (with a different configuration for my preprocessor) and starts the attack/s. So the Snort installation and the attacker/s should be on the same machine. For this reason, I thought that i should capture traffic from the lo interface. But so far, i can't get any of the attacker's packets.are you sending to/from 127.0.0.1? if not, there's nothing on lo to see...
Doesn't anyone have an idea?? All i want is Snort to capture traffic from the lo interface. Until now i cannot see any packets coming if i send them from the localhost (guest machine 127.0.0.1) to the same machine's web server (localhost 127.0.0.1). I've attached a screenshot from tcpdump. This is the traffic from lo interface when i'm not sending any packets from a slowhttp-tool. Always, i can see a connection opening from a different port from localhost to localhost's port 80, then closing, and then opening another one...I can't understand what's happening!!! Furthermore, tcpdump catches the attacking packets in the lo interface. in snort.conf: ipvar HOME_NET 127.0.0.1
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with acquiring traffic Alex Adamos (Feb 23)
- Re: Problem with acquiring traffic waldo kitty (Feb 23)
- Re: Problem with acquiring traffic Alex Adamos (Feb 23)
- Re: Problem with acquiring traffic Alex Adamos (Feb 23)
- Re: Problem with acquiring traffic Alex Adamos (Feb 25)
- Re: Problem with acquiring traffic Alex Adamos (Feb 23)
- Re: Problem with acquiring traffic waldo kitty (Feb 23)