Snort mailing list archives
Re: Capturing incoming packets?
From: guano () hackerfactor com
Date: Sat, 14 Jun 2003 16:35:49 -0600 (MDT)
Hi Erek, This command still won't cut it.
snort -l <dir> -b 'not src <IP>'
Consider this:
I use a web browser to connect to google.
HTTP -> google = filtered by 'not src <IP>'
google -> reply = NOT filtered by 'not src <IP>'
Or, in more detail:
<IP> google captured by snort?
----- ------- ------------------
SYN -> filtered
<- SYN,ACK NOT filtered
ACK -> filtered
HTTP -> filtered
<- ACK NOT filtered
<- HTTP reply NOT filtered
ACK -> filtered
<- FIN,ACK NOT filtered
ACK -> filtered
Thus, snort will capture exactly half of this session.
Since the entire session was initiated by <IP>, I want the entire
session filtered. Not just the requests, but the replies as well.
Any snort option that does not take session-tracking into account will
be unable to do this.
Is there a method for snort to capture everything that is not part of
a session initiated by <IP>?
-guano
On Fri, 13 Jun 2003 guano () hackerfactor com wrote:Unfortunately, the option you provided will not work:snort -l <logdir> -b 'not net <local_lan>'This will filter out things that I want to capture, such as someone initiating a port scan against my network. In addition, this command does not take sessions or initiation direction into account.My bad. I forgot one part: 'src not net <local>' After reading the below, I realized that you're going to have some issues, so that may not work as you want.What I have is a WAN connection (e.g., cable modem or DSL) and a firewall with NAT protecting the LAN. The firewall logs only the basics (when, what) but not the details (packet content, fractional packets, anything TCP beyond SYN). My Linux IDS is tapped into the area between the WAN connection and the firewall (e.g., DMZ). So it is in a position to see all traffic leaving the firewall, as well as everything that comes toward the firewall. In particular, it is in a position to see everything that does not make it though the firewall. What I want to capture are only the packets that are: (1) Heading toward the firewall from the WAN, *and*Easy enough. Since you're using NAT, all you need is the "front" IP of the firewall. Then just do something like: snort -l <dir> -b 'not src <IP>'(2) Not in reply to anything sent out from the firewall/NAT.Easily done. See above.Thus, only unrequested packets (sniffs, attacks, "something unexpected") will be captured.Well, for what you want, you might be better off using tcpdump. You don't seem to care about the rules, you just want the traffic. If that's the case just use tcpdump instead. If you do care about the rules, just write some that ignore what you want and alert on everything else. alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "Incoming port 22 connection.';) There's been some good threads on 'anomaly detection' in the archives. I'd suggest you read over that and make use of some of those ideas/rules. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Capturing incoming packets? guano (Jun 13)
- Re: Capturing incoming packets? Erek Adams (Jun 13)
- Re: Capturing incoming packets? guano (Jun 13)
- Re: Capturing incoming packets? Erek Adams (Jun 14)
- Re: Capturing incoming packets? guano (Jun 14)
- Re: Capturing incoming packets? Erek Adams (Jun 16)
- Re: Capturing incoming packets? guano (Jun 13)
- Re: Capturing incoming packets? Erek Adams (Jun 13)