Snort mailing list archives
Re: snort-inline and iptables INPUT chain
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 2 Mar 2005 15:58:31 -0600
Nothing is showing up in your alert logs? Is it just ssh or does this happen with all connections? Try the following.... iptables -F INPUT iptables -F OUPUT iptables -F FORWARD iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j QUEUE iptables -A FORWARD -j QUEUE iptables -A OUPUT -j QUEUE in your snort.conf set checksum mode to none. config checksum_mode: none Regards, Will On Wed, 02 Mar 2005 20:16:38 +0100, Laurent Haond <lhaond () bearstech com> wrote:
Will Metcalf a écrit :If you start snort with snort -Q -v -c /etc/snort/snort.conf do you see any traffic? Regards, WillSure i see some traffic : Here are tethereal captures (done on 192.168.0.2 which the ssh client with NO firewall): => case 1 ssh establishing WITHOUT snort-inline / queue : Capturing on eth0 0.000000 192.168.0.1 -> 192.168.0.2 TCP 32859 > 22 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=567646 TSER=0 WS=0 0.000422 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=583170 TSER=567646 WS=0 0.000456 192.168.0.1 -> 192.168.0.2 TCP 32859 > 22 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=567647 TSER=583170 0.091878 192.168.0.2 -> 192.168.0.1 SSH Server Protocol: SSH-2.0-OpenSSH 0.091892 192.168.0.1 -> 192.168.0.2 TCP 32859 > 22 [ACK] Seq=1 Ack=25 Win=5840 Len=0 TSV=567656 TSER=583180 0.091949 192.168.0.1 -> 192.168.0.2 SSH Client Protocol: SSH-2.0-OpenSSH 0.092158 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=25 Ack=42 Win=5792 Len=0 TSV=583180 TSER=567656 0.092166 192.168.0.1 -> 192.168.0.2 SSHv2 Client: Key Exchange Init 0.092429 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=25 Ack=650 Win=6688 Len=0 TSV=583180 TSER=567656 0.096161 192.168.0.2 -> 192.168.0.1 SSHv2 Server: Key Exchange Init 0.096229 192.168.0.1 -> 192.168.0.2 SSHv2 Client: Diffie-Hellman GEX Request 0.112155 192.168.0.2 -> 192.168.0.1 SSHv2 Server: Diffie-Hellman Key Exchange Reply 0.113776 192.168.0.1 -> 192.168.0.2 SSHv2 Client: Diffie-Hellman GEX Init 0.150941 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=785 Ack=818 Win=7904 Len=0 TSV=583186 TSER=567658 0.253657 192.168.0.2 -> 192.168.0.1 SSHv2 Server: Diffie-Hellman GEX Reply 0.255864 192.168.0.1 -> 192.168.0.2 SSHv2 Client: New Keys 0.256059 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=1249 Ack=834 Win=7904 Len=0 TSV=583196 TSER=567672 0.256068 192.168.0.1 -> 192.168.0.2 SSHv2 Encrypted request packet len=48 0.256240 192.168.0.2 -> 192.168.0.1 TCP 22 > 32859 [ACK] Seq=1249 Ack=882 Win=7904 Len=0 TSV=583196 TSER=567672 0.256615 192.168.0.2 -> 192.168.0.1 SSHv2 Encrypted response packet len=48 0.256922 192.168.0.1 -> 192.168.0.2 SSHv2 Encrypted request packet len=64 0.258581 192.168.0.2 -> 192.168.0.1 SSHv2 Encrypted response packet len=80 0.258646 192.168.0.1 -> 192.168.0.2 SSHv2 Encrypted request packet len=528 0.260759 192.168.0.2 -> 192.168.0.1 SSHv2 Encrypted response packet len=80 0.260799 192.168.0.1 -> 192.168.0.2 SSHv2 Encrypted request packet len=96 0.261335 192.168.0.2 -> 192.168.0.1 SSHv2 Encrypted response packet len=80 0.300461 192.168.0.1 -> 192.168.0.2 TCP 32859 > 22 [ACK] Seq=1570 Ack=1537 Win=7904 Len=0 TSV=567677 TSER=583197 so ok it works normally... => case 2: ssh establishing WITH snort-inlie /queue : Capturing on eth0 0.000000 192.168.0.1 -> 192.168.0.2 TCP 32862 > 22 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=599536 TSER=0 WS=0 0.000557 192.168.0.2 -> 192.168.0.1 TCP 22 > 32862 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=615058 TSER=599536 WS=0 0.000577 192.168.0.1 -> 192.168.0.2 TCP 32862 > 22 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=599536 TSER=615058 then nothing more is received... But on 192.168.0.1 (snort box using snort -Q -v -c /etc/snort/snort.conf) I see traffic from 192.168.0.2:22 -> 192.168.0.1:32862 after that... But this traffic is never received by 192.168.0.1 !! Regards Laurent
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-inline and iptables INPUT chain Laurent Haond (Feb 28)
- Re: snort-inline and iptables INPUT chain Victor Julien (Feb 28)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 01)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 01)
- Re: snort-inline and iptables INPUT chain Victor Julien (Feb 28)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)