Snort mailing list archives

Re: Snort for Broadcast Detection counts only

From: Phil Wood <cpw () lanl gov>
Date: Wed, 4 Dec 2002 09:50:50 -0700

Snort will not see all the broadcasts.  You might want to use tcpdump.
You would have to twiddle with the attached sed script to match all the
different types of broadcasts on your particular network.  But, first
just run the following command:

  tcpdump -i <your_interface> -qn -c 100 broadcast > /tmp/100

Take a look at the file to see the different types.  And try a version of
this god-awful script:
:
cat /tmp/100 | sed -e 's/^.*IP //' -e 's/^.*) //' -e 's/^.*arp who-has //' -e 's/> //' -e 's/tell //' -e 's/: .*//' -e 
's/:ipx.*//' | sort | uniq -c | sort -rn

And you will get something like this:

     12 192.168.114.119.137 192.168.114.255.137
     11 192.168.114.52 192.168.114.241
      8 192.168.114.102 192.168.114.241
      6 192.168.114.205.137 192.168.114.255.137
      5 192.168.114.134 192.168.114.241
      5 192.168.114.100 192.168.114.29
      3 192.168.177.29.137 192.168.177.255.137
      3 192.168.114.119.138 192.168.114.255.138
      2 192.168.177.25 192.168.177.241
      2 192.168.114.215 192.168.114.241
      2 192.168.114.214 192.168.114.241
      2 192.168.114.213 192.168.114.241
      2 192.168.114.212 192.168.114.241
      2 192.168.114.211 192.168.114.241
      2 00000000.00:60:b0:f1:70:2c.400b 00000000.ff:ff:ff:ff:ff:ff.0452
      1 192.168.4.200 192.168.114.110
      1 192.168.4.115 192.168.114.21
      1 192.168.177.84 192.168.177.11
      1 192.168.177.31 192.168.177.241
      1 192.168.177.150 192.168.177.241
      1 192.168.177.124.138 192.168.177.255.138
      1 192.168.177.124 192.168.177.241
      1 192.168.114.71 192.168.114.238
      1 192.168.114.69.138 192.168.114.255.138
      1 192.168.114.65 192.168.114.241
      1 192.168.114.61.138 192.168.114.255.138
      1 192.168.114.247.138 192.168.114.255.138
      1 192.168.114.241 192.168.114.32
      1 192.168.114.238.138 192.168.114.255.138
      1 192.168.114.237.138 192.168.114.255.138
      1 192.168.114.234.138 192.168.114.255.138
      1 192.168.114.225.138 192.168.255.255.138
      1 192.168.114.2 192.168.114.173
      1 192.168.114.197 192.168.114.190
      1 192.168.114.192 192.168.114.78
      1 192.168.114.192 192.168.114.247
      1 192.168.114.192 192.168.114.238
      1 192.168.114.188 192.168.114.241
      1 192.168.114.161 192.168.114.173
      1 192.168.114.16.138 192.168.114.255.138
      1 192.168.114.145 192.168.177.14
      1 192.168.114.111 192.168.114.173
      1 00000000.00:60:b0:f1:70:2c.0452 00000000.ff:ff:ff:ff:ff:ff.0452
      1 00000000.00:60:b0:ca:53:4c.0452 00000000.ff:ff:ff:ff:ff:ff.0452
      1 00000000.00:60:b0:c7:18:89.0452 00000000.ff:ff:ff:ff:ff:ff.0452
      1 00000000.00:60:b0:9b:6e:4c.0452 00000000.ff:ff:ff:ff:ff:ff.0452
      1 00000000.00:10:83:43:6c:11.0452 00000000.ff:ff:ff:ff:ff:ff.0452
      1 00000000.00:01:e6:73:af:b6.0452 00000000.ff:ff:ff:ff:ff:ff.0452

On Tue, Dec 03, 2002 at 09:35:19AM -0600, Tim Olson wrote:

Hi,

I'd like to set up snort to detect broadcasts only and then
have a way to tabulate the sources to see where most of them are
coming from.   I've trimmed down my .rules section to the snort.conf
file, and created rules to detect broadcasts.   Anyone else ever
set snort up to do this?  If so, maybe give me some tips as to
getting a good display of the tabulation.  So far I've only used
Snortsnarf and never dabbled in ACID or any other add-ons.
Give me some suggestions and I'll try them out.

Ultimately I'm just trying to discover the cause of excessive
broadcasts on our network.  Our Cisco switches see maybe 10,000
in 5 minutes.

Tim



-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort for Broadcast Detection counts only Tim Olson (Dec 04)
- Re: Snort for Broadcast Detection counts only Phil Wood (Dec 04)