[Snort-devel] log response pkts

Joel Esler jesler at ...402...
Tue Jul 3 10:19:25 EDT 2012


What version of Snort are you using?  What is your output method?  What
does your sample.conf say?

On Mon, Jul 2, 2012 at 7:45 AM, Vinayak Malshetty <vinay.c7 at ...2499...>wrote:

> Hi,
>
> please  anyone help me in  resolving the below problem
>
>
>
> I am running snort in IDS mode, to capture GTPv1 echo request and response
> packets, but I am seeing that only echo request packets are captured below
> is the topology
>
>
>
> (Linux-1) eth4 ----------------------------eth4(Linux-2)
>
> 70.5.1.1                                                       70.6.1.1
>
> Linux-2 is sending GTP echo request and Linux-1 is responding but in the
> log only GTP request is logged
>
>
> Running snort as “snort -i eth4 -c GTP_Config/sample.conf” on Linux-1
> machine
>
> I have created rule to log gtp packets as
>
> l*og udp 70.5.1.1 2123 <> 70.6.1.1 2123 \*
>
> *(gid:143;sid:10000010)*
>
>
>
> But when I am running snort in sniffer mode I am able to see both request
> and response on the console as below
>
> Commencing packet processing (pid=15788)
>
> 07/01-04:32:42.714873 70.6.1.1:2123 -> 70.5.1.1:2123
>
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
>
> Len: 12
>
> 32 01 00 04 00 00 00 00 6C 00 00 00              2.......l...   *ß
> Request *
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 07/01-04:32:42.714878 70.6.1.1:2123 -> 70.5.1.1:2123
>
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:139 DF
>
> Len: 111
>
> 32 10 00 67 00 00 00 00 6C 01 00 00 02 42 00 01  2..g....l....B..
>
> 21 43 65 87 F9 0E 1B 0F 01 10 00 00 00 01 11 00  !Ce.............
>
> 00 00 01 14 00 1A 08 00 80 00 02 F1 21 83 00 08  ............!...
>
> 69 6E 74 65 72 6E 65 74 84 00 15 80 C0 23 11 01  internet.....#..
>
> 01 00 11 03 6D 69 67 08 68 65 6D 6D 65 6C 69 67  ....mig.hemmelig
>
> 85 00 04 46 06 01 01 85 00 04 46 06 01 01 86 00  ...F......F.....
>
> 07 91 64 07 12 32 54 F6 87 00 04 00 0B 92 1F     ..d..2T........
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 07/01-04:32:42.714915 70.5.1.1:2123 -> 70.6.1.1:2123
>
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:42 DF
>
> Len: 14
>
> 32 02 00 06 00 00 00 00 6C 00 00 00 0E 01        2.......l..... *àResponse
> *
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 07/01-04:32:42.714995 70.5.1.1:2123 -> 70.6.1.1:2123
>
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:114 DF
>
> Len: 86
>
> 32 11 00 4E 00 00 00 01 6C 01 00 00 01 80 08 00  2..N....l.......
>
> 0E 01 10 00 00 00 01 11 00 00 00 01 7F 00 00 00  ................
>
> 01 80 00 06 F1 21 50 00 00 02 84 00 14 80 80 21  .....!P........!
>
> 10 02 00 00 10 81 06 00 00 00 00 83 06 00 00 00  ................
>
> 00 85 00 04 46 05 01 01 85 00 04 46 05 01 01 87  ....F......F....
>
> 00 04 00 0B 92 1F                                ......
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
> Many Thanks,
>
> -vinayak
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120703/64330f99/attachment.html>


More information about the Snort-devel mailing list