Snort mailing list archives
Re: Snort + ipchains
From: John Sage <jsage () finchhaven com>
Date: Sat, 01 Dec 2001 13:34:02 -0800
Guillaume: Guillaume wrote:
En réponse à John Sage <jsage () finchhaven com>:Guillaume: It's interesting to note that the HOW-TO doesn't even mention -o except in a crossreference to ipfwadm commands. man ipchains says "Copy matching packets to the user space device..." I've never used it; hardly knew it existed. What exactly are you hoping to accomplish?I would like to capture rejected/denyied packets in raw binary format for a kind of forensic analysis, in seek of new attacks tracks. For that, ipchains logs are not enough. All I can do is suspecting these packets just because they were rejected by ipchains...
That sounds a lot like what I'm doing:My method is to run snort in -b binary capture mode against my own rulesets that essentially act upon *every* packet by either alerting (on a specific port, for example..) or by alerting/logging entire port ranges so that everything is captured.
Here's an example of the rules that act upon ports: # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP to 445 Win2k SMB";) alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"TCP from 445 Win2k SMB";) # And upon port ranges: # Blanket ALERT FROM ranges, leave holes for services we like ;-) # alert tcp $EXTERNAL_NET 0:20 -> $HOME_NET any (msg:"TCP from range 0-20";) # 21 ftp alert tcp $EXTERNAL_NET 22:24 -> $HOME_NET any (msg:"TCP from range 22-24";) # 25 smtp alert tcp $EXTERNAL_NET 26:42 -> $HOME_NET any (msg:"TCP from range 26-42";) # 43 whois alert tcp $EXTERNAL_NET 44:79 -> $HOME_NET any (msg:"TCP from range 44-79";) # 80 httpalert tcp $EXTERNAL_NET 81:109 -> $HOME_NET any (msg:"TCP from range 81-109";)
# 110 pop3(Now, having said this, let me say that my ipchains rules actually block most of those ports that seem to be open, by limiting connections to a specific set of source IP's...)
Here's an example of the rules (bi-directional) that log entire ranges: # Blanket LOG FROM bidirectional ranges so everything is logged # log tcp $EXTERNAL_NET 0:1024 <> $HOME_NET any (msg:"TCP to/from range 0-1024";) log tcp $EXTERNAL_NET 1025:60999 <> $HOME_NET any (msg:"TCP to/from range 1025-60999";) log tcp $EXTERNAL_NET 61000:65095 <> $HOME_NET any (msg:"TCP to/from masq range";) log tcp $EXTERNAL_NET 65096:65535 <> $HOME_NET any (msg:"TCP to/from beyond masq range";) # # run with: snort -b -i ppp0 -c /usr/local/snort-1.8.2/snort182.conf &The net effect is that *every* packet is accounted-for, somehow, both incoming and outgoing.
Later I analyze the binary logs with the rules that come provided with snort...
HTH.. - John
My thought is capturing all that and perform snort or any other network utility post-analysis. The hardest part being that, if ipchains and snort are up to date, no signature or rule will match captured traffic... But the goal is to write new ones.Guillaume *********************************** Sent with HORDE/IMP (www.horde.org)
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)