Snort mailing list archives
Re: Seeking promiscuity, finding only fidelity: frustration reigns ...
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 23 Apr 2013 11:19:24 -0400
Yes, Snort is having the same problem as Wireshark. There is an unknown 12-byte header at the start of the packet that is throwing things off. Also, the snaplen needs to be increased to at least 1530. Suggest 0 (max). On Mon, Apr 22, 2013 at 6:48 PM, Eric Fowler <eric.fowler () gmail com> wrote:
I should say I have noticed that my wireshark pcaps have a lot of packets that are marked 'Ethernet unknown' and the IP addresses are buried in them. So the wireless packets are being capped as ethernet packets and some other layer is not able to figure them out and deal with the headers & all. Eric On Mon, Apr 22, 2013 at 3:18 PM, Russ Combs <rcombs () sourcefire com> wrote:On Mon, Apr 22, 2013 at 6:14 PM, Eric Fowler <eric.fowler () gmail com>wrote:Hm, I attached one. It was probably stripped by the mailer. Am I capturing the pcap correctly? I will try to figure out how to get it through mailYesEric On Mon, Apr 22, 2013 at 3:12 PM, Russ Combs <rcombs () sourcefire com>wrote:No attachment. You can use Snort. Or you can use Wireshark. If you want to look at the pcap, I highly recommend getting Wireshark now. On Mon, Apr 22, 2013 at 6:09 PM, Eric Fowler <eric.fowler () gmail com>wrote:Hope this is what you are looking for. I got it with snort -k none -n 400 -l <path> If not tell me how to capture. Thanks On Mon, Apr 22, 2013 at 2:58 PM, Russ Combs <rcombs () sourcefire com>wrote:Can you send a pcap of that UDP / other traffic? On Mon, Apr 22, 2013 at 5:50 PM, Eric Fowler <eric.fowler () gmail com>wrote:Here is shutdown stuff (generated by snort -n 100 -k) w/out my app generating a lot of UDP traffic, takes ~10 seconds to gather 100 packets: [root@localhost rules]# snort -n 100 -k none Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "wlan0". Decoding Ethernet --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.4.5 GRE (Build 71) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.7 Commencing packet processing (pid=21743) 04/22-14:46:05.942809 fe80::cad7:19ff:fe79:d19f -> ff02::1 <...deletia..> =============================================================================== Run time for packet processing was 11.21033 seconds Snort processed 100 packets. Snort ran for 0 days 0 hours 0 minutes 11 seconds Pkts/sec: 9 =============================================================================== Packet I/O Totals: Received: 100 Analyzed: 100 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 100 (100.000%) VLAN: 0 ( 0.000%) IP4: 71 ( 71.000%) Frag: 0 ( 0.000%) ICMP: 1 ( 1.000%) UDP: 0 ( 0.000%) TCP: 70 ( 70.000%) IP6: 1 ( 1.000%) IP6 Ext: 1 ( 1.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 1 ( 1.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 28 ( 28.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 100 =============================================================================== Snort exiting Same command, lots of UDP traffic, much faster process. Seems they are all ending up in the 'ethernet/other' bucket. [root@localhost rules]# snort -n 100 -k none Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "wlan0". Decoding Ethernet --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.4.5 GRE (Build 71) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.7 Commencing packet processing (pid=21677) =============================================================================== Run time for packet processing was 4.463474 seconds Snort processed 100 packets. Snort ran for 0 days 0 hours 0 minutes 4 seconds Pkts/sec: 25 =============================================================================== Packet I/O Totals: Received: 100 Analyzed: 100 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 100 (100.000%) VLAN: 0 ( 0.000%) IP4: 0 ( 0.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 0 ( 0.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 100 (100.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 100 =============================================================================== Snort exiting [root@localhost rules]# So at this point I need to know how to look at payloads for those bucketed packets. The hardware, it seems, is doing what I want it to. Eric On Mon, Apr 22, 2013 at 2:30 PM, Russ Combs <rcombs () sourcefire com>wrote:Lots of possibilities. Can you send shutdown or usr1 stats? Checksums? Did you try snort -k none? On Mon, Apr 22, 2013 at 4:51 PM, Eric Fowler <eric.fowler () gmail comwrote:Story of my life ... I have a USB netcard that is in promiscuous mode - ifconfig says it is promiscuous,and I can use Wireshark to inspect packets that are sent between third party (i.e. not the machine wireshark /snort i s running on). I am able to flood the network with UDP traffic of known profile. Wireshark sees it. Snort does not. I have written a simple rule to catch all UDP traffic. It does see some packets but all are local. What is going wrong? Help a lonely nerd find satisfaction, if only for tonight .... Eric ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Seeking promiscuity, finding only fidelity: frustration reigns ... Eric Fowler (Apr 22)
- Re: Seeking promiscuity, finding only fidelity: frustration reigns ... Russ Combs (Apr 22)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Seeking promiscuity, finding only fidelity: frustration reigns ... Russ Combs (Apr 23)
- Re: Seeking promiscuity, finding only fidelity: frustration reigns ... Eric Fowler (Apr 23)
- Message not available
- Re: Seeking promiscuity, finding only fidelity: frustration reigns ... Russ Combs (Apr 22)