[Snort-users] First thing logged by snort

Fyodor fygrave at ...121...
Sun Mar 18 08:16:04 EST 2001


> Hi
> 
> I recently got snort up and running.  I just reviewed the snort log
> files and found it's first entry.
> WHere can I find info on interpreting the packets that it logs ??  Here
> is a snipped of what was in this entry:
> 
> 01/05-15:26:54.896182 0:50:73:1:6C:A8 -> 0:60:8:38:86:FA type:0x800
> len:0x6E

ARP header.. source MAC address -> dst mac address, type of ethernet frame, length.

> 216.253.248.140:850 -> 24.40.74.92:111 TCP TTL:44 TOS:0x0 ID:48709  DF

Source IP, port, dest IP port, protocol (tcp), time-to-live, tos, ID, DF flag is set. (see rfc for TCP for details on these)

> *****PA* Seq: 0x8012565C   Ack: 0x56397446   Win: 0x7D78

tcp flags, seq, ack, win..

> TCP Options => NOP NOP TS: 26167343 24687884

options.. 

> 80 00 00 28 49 07 FF 27 00 00 00 00 00 00 00 02  ...(I..'........
> 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00              ............

the packet payload.

> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> The other packets look similar.
> Also I keep getting the following in my sytstem logs.  It looks like
> something logged by ipchains,:
> 
> Mar 16 21:19:25 jerry kernel: Packet log: input DENY eth0 PROTO=17
> 202.12.27.33:53 24.40.74.92:64248 L=462 S=0x00 I=36353 F=0x0000 T=44
> (#14)

that what was rejected by  upchains. Protocol 17 is UDP. Look into your ipchains configuration for answer why was it denied. :)

> Mar 16 21:19:25 jerry kernel: Packet log: input DENY eth0 PROTO=17
> 202.12.27.33:53 24.40.74.92:64248 L=462 S=0x00 I=36353 F=0x0000 T=44
> (#14)
> -------------------------------------
> 
> Thanks for any help.
> 
> Jim
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list