[Snort-users] Hardcore -r question

Martin Roesch roesch at ...1935...
Mon Jun 11 22:45:07 EDT 2001


Try 'tcp[2:2] == 111', I bet that'll work.  BPF starts counting at zero
for headers, so tcp[0:2] covers the first 16-bits of the tcp header,
tcp[2:2] covers the second 16-bits (i.e. the destination port).

You could also just say 'dst port 111'.

    -Marty

John Sage wrote:
> 
> I'm playing with using the -r switch and tcpdump syntax on a binary log
> file, and I'm having one heckuva time understanding why this command line:
> 
> snort -dv -r snort-0609 at ...2233... 'tcp[3:1] == 111 '
> 
> returns what it does.
> 
> I expect it to return packets with destination port 111, which it does,
> but WTF? it returns five other packets with a value of 62319 as the
> destination port, too.
> 
> This says, I think, go into the tcp header 3 bytes (first byte's zero,)
> and a one byte offset into that, and look at it -- and if it's "111"
> then true and show me the packet.
> 
> It does exactly the same thing if I say:
> 
> snort -dv -r snort-0609 at ...2233... 'tcp[3] == 111 '
> 
> (Of course, if I just chill out and say "snort -dv -r
> snort-0609 at ...2233... dst port 111" it works just fine...)
> 
> Anyway, what am I missing?
> 
> - John
> 
> snort -dv -r snort-0609 at ...2233... 'tcp[3:1] == 111 '
> 
>          --== Initializing Snort ==--
> TCPDUMP file reading mode.
> Reading network traffic from "snort-0609 at ...2233..." file.
> snaplen = 1514
> 
>          --== Initialization Complete ==--
> 06/09-07:55:39.985460 208.178.109.50:80 -> 12.82.128.242:62319
> TCP TTL:53 TOS:0x0 ID:51688 IpLen:20 DgmLen:60 DF
> ***A**S* Seq: 0xE3BDFC2B  Ack: 0xE4569CFB  Win: 0x3EBC  TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 282142772 430770634 NOP
> TCP Options => WS: 0
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/09-07:55:40.275486 208.178.109.50:80 -> 12.82.128.242:62319
> TCP TTL:53 TOS:0x0 ID:51694 IpLen:20 DgmLen:52 DF
> ***A**** Seq: 0xE3BDFC2C  Ack: 0xE4569F69  Win: 0x3C4E  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 282142802 430770652
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/09-07:55:40.295450 208.178.109.50:80 -> 12.82.128.242:62319
> TCP TTL:53 TOS:0x0 ID:51696 IpLen:20 DgmLen:52 DF
> ***A***F Seq: 0xE3BDFE28  Ack: 0xE4569F69  Win: 0x3EBC  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 282142802 430770652
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/09-07:55:40.415514 208.178.109.50:80 -> 12.82.128.242:62319
> TCP TTL:53 TOS:0x0 ID:51695 IpLen:20 DgmLen:560 DF
> ***AP*** Seq: 0xE3BDFC2C  Ack: 0xE4569F69  Win: 0x3EBC  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 282142802 430770652
> 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
> 0A 44 61 74 65 3A 20 53 61 74 2C 20 30 39 20 4A  .Date: Sat, 09 J
> 75 6E 20 32 30 30 31 20 31 34 3A 35 35 3A 33 39  un 2001 14:55:39
> 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
> 61 63 68 65 2F 31 2E 33 2E 31 32 20 28 55 6E 69  ache/1.3.12 (Uni
> 78 29 20 50 48 50 2F 33 2E 30 2E 31 36 20 6D 6F  x) PHP/3.0.16 mo
> <snip>
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/09-07:55:40.595464 208.178.109.50:80 -> 12.82.128.242:62319
> TCP TTL:53 TOS:0x0 ID:51701 IpLen:20 DgmLen:52 DF
> ***A**** Seq: 0xE3BDFE29  Ack: 0xE4569F6A  Win: 0x3EBC  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 282142833 430770695
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/09-11:42:15.844824 202.101.230.112:35932 -> 12.82.128.242:111
> TCP TTL:237 TOS:0x0 ID:57191 IpLen:20 DgmLen:44 DF
> ******S* Seq: 0x42F039C4  Ack: 0x0  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/09-11:42:18.875184 202.101.230.112:35932 -> 12.82.128.242:111
> TCP TTL:237 TOS:0x0 ID:57192 IpLen:20 DgmLen:40 DF
> *****R** Seq: 0x42F039C5  Ack: 0x0  Win: 0x2238  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/09-15:08:11.145983 207.249.68.130:49620 -> 12.82.128.242:111
> TCP TTL:241 TOS:0x0 ID:41055 IpLen:20 DgmLen:44 DF
> ******S* Seq: 0x4A27B537  Ack: 0x0  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/09-15:08:14.526320 207.249.68.130:49620 -> 12.82.128.242:111
> TCP TTL:241 TOS:0x0 ID:41056 IpLen:20 DgmLen:40 DF
> *****R** Seq: 0x4A27B538  Ack: 0x0  Win: 0x2238  TcpLen: 20
> 
> ===============================================================================
> 
> Snort processed 9 packets.
> Breakdown by protocol:                Action Stats:
> 
>      TCP: 9          (100.000%)         ALERTS: 0
>      UDP: 0          (0.000%)          LOGGED: 0
>     ICMP: 0          (0.000%)          PASSED: 0
>      ARP: 0          (0.000%)
>     IPv6: 0          (0.000%)
>      IPX: 0          (0.000%)
>    OTHER: 0          (0.000%)
> ===============================================================================
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>     Rebuilt IP Packets: 0
>     Frag elements used: 0
> Discarded(incomplete): 0
>     Discarded(timeout): 0
> ===============================================================================
> 
> TCP Stream Reassembly Stats:
>     TCP Packets Used:      0          (0.000%)
>     Reconstructed Packets: 0          (0.000%)
>     Streams Reconstructed: 0
> ===============================================================================
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list