Snort mailing list archives
Re: Log questions
From: Phil <foo_bar_00 () yahoo com>
Date: Sat, 18 Aug 2001 13:23:45 -0700 (PDT)
Martin (and everyone else) I started fooling around based on your last message about using snort in sniffer mode) and found some pretty interesting things. For starters, I started using snort in sniffing mode on various interfaces. Just to remind you, I'm using PPPoE which puts a virtual interface called ppp0 ontop of elxl0. That means that only PPP framing comes in on elxl0 and the IP stuff comes in on ppp0. For example if I use SNOOP instead of snort to sniff I get: ? -> * ETHER Type=8864 (Unknown), size = 82 bytes ? -> * ETHER Type=8864 (Unknown), size = 122 bytes ? -> * ETHER Type=8864 (Unknown), size = 62 bytes However if I use SNORT it decodes the PPP frames: 08/18-13:09:24.201007 66.20.209.121:1176 -> x.x.x.x:22 TCP TTL:113 TOS:0x0 ID:16909 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xAF6FD2 Ack: 0xA7BFE478 Win: 0x1F6C TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/18-13:09:24.219220 66.20.209.121:1176 -> x.x.x.x:22 TCP TTL:113 TOS:0x0 ID:17165 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xAF6FD2 Ack: 0xA7BFE6B0 Win: 0x1D34 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/18-13:09:24.270469 66.20.209.121:1176 -> x.x.x.x:22 TCP TTL:113 TOS:0x0 ID:17421 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xAF6FD2 Ack: 0xA7BFE8F0 Win: 0x22B0 TcpLen: 20 That in itself isn't a huge discovery, you probably know you built that into Snort. However, the intersting part is I cannot limit my dumps with snort on elxl0, but I can on ppp0. For example: snort -dv -i ppp0 not port 22 Does what it's supposed to while snort -dv -i elxl0 not port 22 shows TONS of packets to and from port 22 Additionally, I was running snort last night and ran the attack scripts from a machine outside the network. The following got completed (the rest were either status 'skipped' or I got tired after an hour and stopped): Simulating attack over udp/10067 - "Portal Of Doom" Host: 165.247.230.157 - OK Simulating attack over udp/5632 - "PCAnywhere" Host: 165.247.230.157 - OK Simulating attack over udp/22 - "PCAnywhere" Host: 165.247.230.157 - OK Simulating attack over udp/22 - "PCAnywhere" Host: 165.247.230.157 - OK Simulating attack over udp/36123 - "Deep Throat access" Host: 165.247.230.157 - OK Simulating attack over udp/10067 - "Possible Portal of Doom access" Host: 165.247.230.157 - OK Simulating attack over udp/10167 - "Possible Portal of Doom access" Host: 165.247.230.157 - OK Simulating attack over udp/7552 - "Portal of Doom access" Host: 165.247.230.157 - OK Simulating attack over udp/56945 - "Portal of Doom access" Host: 165.247.230.157 - OK Simulating attack over udp/31789 - "Possible Hack a Tack access" Host: 165.247.230.157 - OK Simulating attack over udp/31791 - "Possible Hack a Tack access" Host: 165.247.230.157 - OK But not one of them was picked up by snort. I'm running snort with the following options: /usr/local/bin/snort -A fast -i ppp0 -l /var/log/snortlogs -c /etc/snort/snort.c onf -D and I have all the default includes in snort.conf. I have HOME_NET set to $ppp0_ADDRESS and EXTERNAL_NET is set to !$HOME_NET I'm running snort Version 1.8.1-RELEASE (Build 74) Solaris 8 x86 MU5 (7/01) Let me know what you think. Thanks. Phil __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log questions Phil (Aug 06)
- RE: Log questions Jyri Hovila (Aug 06)
- Re: Log questions Martin Roesch (Aug 06)
- <Possible follow-ups>
- Re: Log questions Phil (Aug 18)
- Re: Log questions Martin Roesch (Aug 18)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 29)
- Re: Log questions Phil (Aug 29)
- Re: Log questions Martin Roesch (Aug 18)