Re: Log questions

[Phil <foo_bar_00 () yahoo com>]

Martin (and everyone else)
I started fooling around based on your last message
about using snort in sniffer mode) and found some
pretty interesting things.

For starters, I started using snort in sniffing mode
on various interfaces. Just to remind you, I'm using
PPPoE which puts a virtual interface called ppp0 ontop
of elxl0. That means that only PPP framing comes in on
elxl0 and the IP stuff comes in on ppp0. For example
if I use SNOOP instead of snort to sniff I get:

? -> *     ETHER Type=8864 (Unknown), size = 82 bytes
? -> *     ETHER Type=8864 (Unknown), size = 122 bytes
? -> *     ETHER Type=8864 (Unknown), size = 62 bytes

However if I use SNORT it decodes the PPP frames:

08/18-13:09:24.201007 66.20.209.121:1176 -> x.x.x.x:22
TCP TTL:113 TOS:0x0 ID:16909 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xAF6FD2  Ack: 0xA7BFE478  Win: 0x1F6C 
TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/18-13:09:24.219220 66.20.209.121:1176 -> x.x.x.x:22
TCP TTL:113 TOS:0x0 ID:17165 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xAF6FD2  Ack: 0xA7BFE6B0  Win: 0x1D34 
TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/18-13:09:24.270469 66.20.209.121:1176 -> x.x.x.x:22
TCP TTL:113 TOS:0x0 ID:17421 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xAF6FD2  Ack: 0xA7BFE8F0  Win: 0x22B0 
TcpLen: 20


That in itself isn't a huge discovery, you probably
know you built that into Snort. However, the
intersting part is I cannot limit my dumps with snort
on elxl0, but I can on ppp0. For example:

snort -dv -i ppp0 not port 22

Does what it's supposed to while

snort -dv -i elxl0 not port 22

shows TONS of packets to and from port 22

Additionally, I was running snort last night and ran
the attack scripts from a machine outside the network.
The following got completed (the rest were either
status 'skipped' or I got tired after an hour and
stopped):

Simulating attack over udp/10067  - "Portal Of Doom"
Host: 165.247.230.157 - OK
Simulating attack over udp/5632  - "PCAnywhere"
Host: 165.247.230.157 - OK
Simulating attack over udp/22  - "PCAnywhere"
Host: 165.247.230.157 - OK
Simulating attack over udp/22  - "PCAnywhere"
Host: 165.247.230.157 - OK
Simulating attack over udp/36123  - "Deep Throat
access"
Host: 165.247.230.157 - OK
Simulating attack over udp/10067  - "Possible Portal
of Doom access"
Host: 165.247.230.157 - OK
Simulating attack over udp/10167  - "Possible Portal
of Doom access"
Host: 165.247.230.157 - OK
Simulating attack over udp/7552  - "Portal of Doom
access"
Host: 165.247.230.157 - OK
Simulating attack over udp/56945  - "Portal of Doom
access"
Host: 165.247.230.157 - OK
Simulating attack over udp/31789  - "Possible Hack a
Tack access"
Host: 165.247.230.157 - OK
Simulating attack over udp/31791  - "Possible Hack a
Tack access"
Host: 165.247.230.157 - OK

But not one of them was picked up by snort. I'm
running snort with the following options:

/usr/local/bin/snort -A fast -i ppp0 -l
/var/log/snortlogs -c /etc/snort/snort.c
onf -D

and I have all the default includes in snort.conf. I
have HOME_NET set to $ppp0_ADDRESS and EXTERNAL_NET is
set to !$HOME_NET

I'm running snort Version 1.8.1-RELEASE (Build 74)
Solaris 8 x86 MU5 (7/01)

Let me know what you think. Thanks.
Phil

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users