Snort mailing list archives

Re: ssh-tunnel between sensor and database-server

From: Skip Carter <skip () taygeta com>
Date: Fri, 27 Aug 2004 08:28:14 -0700

I have build an ssh-tunnel between my snort-sensor and my
database-server and it seems to work.

I had like to control this with tcpdump and it shows something like
this:

      "IP1".32817 > "IP2".22 
      "IP2".22 > "IP1".32817

I expect port 3306 instead of 32817 and that confuses me.

Can anyone explain me why 32817 is used?
Does ssh "hide" the source-port by using it?


    This just looks like the other end of your interactive session.

    I presume you are doing something like (from IP1):

    ssh -R 3306:IP2:3306 IP2

    If so, you should see on IP2 a service listening on IP2 at 3306 after you 
have
    authenticated.   'netstat -an' might be a more useful diagnostic to see if
    you got it working, tcpdump won't help until you start pushing data 
through it.



Skip





-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940

Attachment: _bin
Description:

Current thread:

ssh-tunnel between sensor and database-server Maetzky (extern) (Aug 27)
- Re: ssh-tunnel between sensor and database-server Skip Carter (Aug 27)
- Re: ssh-tunnel between sensor and database-server Sean Brown (Aug 27)