[Snort-devel] log response pkts

Vinayak Malshetty vinay.c7 at ...2499...
Mon Jul 2 07:45:12 EDT 2012


Hi,

please  anyone help me in  resolving the below problem



I am running snort in IDS mode, to capture GTPv1 echo request and response
packets, but I am seeing that only echo request packets are captured below
is the topology



(Linux-1) eth4 ----------------------------eth4(Linux-2)

70.5.1.1                                                       70.6.1.1

Linux-2 is sending GTP echo request and Linux-1 is responding but in the
log only GTP request is logged


Running snort as “snort -i eth4 -c GTP_Config/sample.conf” on Linux-1
machine

I have created rule to log gtp packets as

l*og udp 70.5.1.1 2123 <> 70.6.1.1 2123 \*

*(gid:143;sid:10000010)*



But when I am running snort in sniffer mode I am able to see both request
and response on the console as below

Commencing packet processing (pid=15788)

07/01-04:32:42.714873 70.6.1.1:2123 -> 70.5.1.1:2123

UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF

Len: 12

32 01 00 04 00 00 00 00 6C 00 00 00              2.......l...   *ß  Request
*



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



07/01-04:32:42.714878 70.6.1.1:2123 -> 70.5.1.1:2123

UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:139 DF

Len: 111

32 10 00 67 00 00 00 00 6C 01 00 00 02 42 00 01  2..g....l....B..

21 43 65 87 F9 0E 1B 0F 01 10 00 00 00 01 11 00  !Ce.............

00 00 01 14 00 1A 08 00 80 00 02 F1 21 83 00 08  ............!...

69 6E 74 65 72 6E 65 74 84 00 15 80 C0 23 11 01  internet.....#..

01 00 11 03 6D 69 67 08 68 65 6D 6D 65 6C 69 67  ....mig.hemmelig

85 00 04 46 06 01 01 85 00 04 46 06 01 01 86 00  ...F......F.....

07 91 64 07 12 32 54 F6 87 00 04 00 0B 92 1F     ..d..2T........



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



07/01-04:32:42.714915 70.5.1.1:2123 -> 70.6.1.1:2123

UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:42 DF

Len: 14

32 02 00 06 00 00 00 00 6C 00 00 00 0E 01        2.......l..... *à Response*



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



07/01-04:32:42.714995 70.5.1.1:2123 -> 70.6.1.1:2123

UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:114 DF

Len: 86

32 11 00 4E 00 00 00 01 6C 01 00 00 01 80 08 00  2..N....l.......

0E 01 10 00 00 00 01 11 00 00 00 01 7F 00 00 00  ................

01 80 00 06 F1 21 50 00 00 02 84 00 14 80 80 21  .....!P........!

10 02 00 00 10 81 06 00 00 00 00 83 06 00 00 00  ................

00 85 00 04 46 05 01 01 85 00 04 46 05 01 01 87  ....F......F....

00 04 00 0B 92 1F                                ......



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Many Thanks,

-vinayak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120702/32c9abc8/attachment.html>


More information about the Snort-devel mailing list