Snort mailing list archives
Re: Snort-users Digest, Vol 78, Issue 34-snort problem
From: amin Salehi <seyedamin_salehi () yahoo com>
Date: Sun, 11 Nov 2012 23:52:40 -0800 (PST)
hi.but when i running snort in sniffer mode(not NIDS mode) i see that 4 packet sent from host 10.10.7.2.2 packet with TTL 64 and 2 packet with TTL 63.what is the problem? ________________________________ From: "snort-users-request () lists sourceforge net" <snort-users-request () lists sourceforge net> To: snort-users () lists sourceforge net Sent: Monday, November 12, 2012 10:29 AM Subject: Snort-users Digest, Vol 78, Issue 34 Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: snort inline (Michael Altizer) ---------------------------------------------------------------------- Message: 1 Date: Mon, 12 Nov 2012 01:58:58 -0500 From: Michael Altizer <xiche () verizon net> Subject: Re: [Snort-users] snort inline To: snort-users () lists sourceforge net Message-ID: <50A09E32.7060507 () verizon net> Content-Type: text/plain; charset="us-ascii" (If you're using AFPacket in inline mode, it will be forwarding the packets unmodified after processing. If you're also routing at the same time, the packet will be forwarded by the OS as well with the TTL and MAC changes necessary for routing. This will result in "duplicate" packets. Similar deal with using Linux bridging at the same time. If you're having something else forward the packets, don't ask AFPacket to do it too.) On 11/12/2012 01:50 AM, Michael Altizer wrote:
You enabled IPv4 Forwarding, so you're a router with everything that entails. On 11/12/2012 01:37 AM, amin Salehi wrote:hi.i enable promisc mode on 2 interface: my virtual topology is: all host is linux backtrack 64 bit: when i ping 10.10.8.2 from 10.10.7.2 2 packet are sent.one with TTL 64 and one with TTL 63.one with TTL 64 from mac of 10.10.7.2 to mac of 10.10.7.1 and one with TTL 63 from mac of interface 10.10.8.1 to mac of 10.10.8.2 what is the problem? ------------------------------------------------------------------------ *From:* Tony Robinson <deusexmachina667 () gmail com> *To:* amin Salehi <seyedamin_salehi () yahoo com> *Cc:* "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> *Sent:* Sunday, November 11, 2012 1:11 AM *Subject:* Re: [Snort-users] snort inline Mr. Salehi, I'm not certain this is your problem, but I ran into a similar problem while testing a snort inline installation on my ESXi testbed. I was trying to do an inline test with snort between two vswitches and ran into problems consistent with what you are seeing. I had to allow promiscuous mode on the vswitches the inline interfaces were connected to, or it wouldn't work. I would recommend the following: 1. If you are on an ESX/ESXi server, ensure that the vswitch security settings allow promiscuous mode -- for BOTH switches your sensor is connected to. 2. Verify that both interfaces have promiscuous mode enabled (e.g. does ifconfig -a report PROMISC for both eth1 and eth0?) On Sat, Nov 10, 2012 at 7:21 AM, amin Salehi <seyedamin_salehi () yahoo com <mailto:seyedamin_salehi () yahoo com>> wrote: hi.i enable forwarding on a snort sensor host and run following command: "snort -q -c /etc/snort/snort.conf -Q --daq afpacket -i eth0:eth1 -A console" i write a rule in local.rules file: "drop icmp 10.10.9.2 any -> 10.10.8.2 any (msg:"Ping dropped";sid: 1000008;).when i run "ping 10.10.8.2" on the 10.10.9.2 host the resault is: the attach file with name 1 my sensor screen is: the attach file with name 2 whats the problem? ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- when does reality end? when does fantasy begin? ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news!
-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 78, Issue 34 *******************************************
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 78, Issue 34-snort problem amin Salehi (Nov 11)