Re: Problem with acquiring traffic

[Alex Adamos <alexthakidadam () hotmail com>]

> Date: Sat, 23 Feb 2013 14:12:43 -0500
> From: wkitty42 () windstream net
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Problem with acquiring traffic
>
> On 2/23/2013 13:58, Alex Adamos wrote:
> > Hello!!
> >
> > i wrote my own preprocessor to track flows to a webserver and determine whether
> > the server is under a slow http DoS attack. Now i want to test my preprocessor
> > and see "how many fish i can get" (greek one, :p)!! I've installed Snort in an
> > Ubuntu virtualBox Guest (the Host is a Windows7). To automate the tests i wrote
> > a bash script that every time starts Snort (with a different configuration for
> > my preprocessor) and starts the attack/s. So the Snort installation and the
> > attacker/s should be on the same machine. For this reason, I thought that i
> > should capture traffic from the lo interface. But so far, i can't get any of the
> > attacker's packets.
>
> are you sending to/from 127.0.0.1? if not, there's nothing on lo to see...

Doesn't anyone have an idea?? All i want is Snort to capture traffic 
from the lo interface. Until now i cannot see any packets coming if i 
send them from the localhost (guest machine 127.0.0.1) to the same 
machine's web server (localhost 127.0.0.1).

I've attached a 
screenshot from tcpdump. This is the traffic from lo interface when i'm 
not sending any packets from a slowhttp-tool. Always, i can see a 
connection opening from a different port from localhost to localhost's 
port 80, then closing, and then opening another one...I can't understand
 what's happening!!!
Furthermore, tcpdump catches the attacking packets in the lo interface.

in snort.conf: 
ipvar HOME_NET 127.0.0.1

> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!