[Snort-users] Problems with eth1?

Jason Smith jsmith at ...2528...
Fri Oct 26 08:38:03 EDT 2001


Hello all,

Here's the problem.  I have a Linux box running Redhat 7.1 w/ 2.4.6.  It has
two nics both Intel eepro100's.  They are both monitoring different
segements of the network.  One is on the inside of the firewall and one is
on the outside.  The problem interface is the outside one.  I am getting no
alerts haven't for the last week or so.  I do have some simple rules that
should be tripped every now and then but I'm not even getting those.  The
internal interface does log those rules so I know the traffic is there.  The
output below is from running snort -dev -i eth1.  If I do this but on eth0
traffic just flies by.  I'm thinking there is something wrong with the
network card.  Hopefully the output below helps.  I have also checked the
dmesg log, configured syslog to log all kernel messages to /var/log/kernel.
And neither of these have logged anything suspicious.  

Any help is greatly appreciated.  Also if you have any other questions let
me know.

Thanks
Jason Smith



<snip>
10/26-09:28:50.870406 ARP who-has 209.248.9.225 tell 209.248.9.227

10/26-09:35:49.786894 ARP who-has 209.248.9.237 tell 209.248.9.225

10/26-09:35:52.983387 ARP who-has 209.248.9.237 tell 209.248.9.225

10/26-09:36:39.085670 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0xF3
209.248.9.227:138 -> 209.248.9.239:138 UDP TTL:128 TOS:0x0 ID:55741 IpLen:20
DgmLen:229
Len: 209
11 02 C4 BE D1 F8 09 E3 00 8A 00 BB 00 00 20 45  .............. E
46 43 4E 45 4E 45 42 45 4A 45 4D 43 41 43 41 43  FCNENEBEJEMCACAC
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00  ACACACACACACACA.
20 46 48 45 50 46 43 45 4C 45 48 46 43 45 50 46   FHEPFCELEHFCEPF
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42  FFACACACACACACAB
4F 00 FF 53 4D 42 25 00 00 00 00 00 00 00 00 00  O..SMB%.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 E8  .....!..........
03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01  .........!.V....
00 00 00 02 00 32 00 5C 4D 41 49 4C 53 4C 4F 54  .....2.\MAILSLOT
5C 42 52 4F 57 53 45 00 0F 00 80 FC 0A 00 45 2D  \BROWSE.......E-
4D 41 49 4C 00 00 00 00 00 00 00 00 00 00 04 00  MAIL............
03 10 05 00 0F 01 55 AA 00                       ......U..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:37:23.483031 ARP who-has 209.248.9.230 tell 209.248.9.227

10/26-09:37:38.825961 ARP who-has 209.248.9.225 tell 209.248.9.227

10/26-09:37:39.715834 ARP who-has 209.248.9.238 tell 209.248.9.225

10/26-09:37:40.202475 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0xF9
209.248.9.227:138 -> 209.248.9.239:138 UDP TTL:128 TOS:0x0 ID:58815 IpLen:20
DgmLen:235
Len: 215
11 02 C4 C0 D1 F8 09 E3 00 8A 00 C1 00 00 20 45  .............. E
46 43 4E 45 4E 45 42 45 4A 45 4D 43 41 43 41 43  FCNENEBEJEMCACAC
41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00  ACACACACACACAAA.
20 41 42 41 43 46 50 46 50 45 4E 46 44 45 43 46   ABACFPFPENFDECF
43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41  CEPFHFDEFFPFPACA
42 00 FF 53 4D 42 25 00 00 00 00 00 00 00 00 00  B..SMB%.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 11 00 00 27 00 00 00 00 00 00 00 00 00 E8  .....'..........
03 00 00 00 00 00 00 00 00 27 00 56 00 03 00 01  .........'.V....
00 01 00 02 00 38 00 5C 4D 41 49 4C 53 4C 4F 54  .....8.\MAILSLOT
5C 42 52 4F 57 53 45 00 0C 00 A0 BB 0D 00 57 4F  \BROWSE.......WO
52 4B 47 52 4F 55 50 00 4A FC E1 77 40 A1 03 0A  RKGROUP.J..w at ...979...
00 10 00 80 68 FF 4B 02 45 2D 4D 41 49 4C 00     ....h.K.E-MAIL.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:37:43.035484 ARP who-has 209.248.9.238 tell 209.248.9.225

10/26-09:39:34.324639 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0x5C
209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:23495 IpLen:20
DgmLen:78
Len: 58
C4 C4 01 10 00 01 00 00 00 00 00 00 20 46 48 45  ............ FHE
50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43  PFCELEHFCEPFFFAC
41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20  ACACACACACABL..
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:39:35.072695 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0x5C
209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:23751 IpLen:20
DgmLen:78
Len: 58
C4 C4 01 10 00 01 00 00 00 00 00 00 20 46 48 45  ............ FHE
50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43  PFCELEHFCEPFFFAC
41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20  ACACACACACABL..
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:39:35.823741 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0x5C
209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:24007 IpLen:20
DgmLen:78
Len: 58
C4 C4 01 10 00 01 00 00 00 00 00 00 20 46 48 45  ............ FHE
50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43  PFCELEHFCEPFFFAC
41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20  ACACACACACABL..
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:39:39.329046 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0x5C
209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:24263 IpLen:20
DgmLen:78
Len: 58
C4 C8 01 10 00 01 00 00 00 00 00 00 20 46 48 45  ............ FHE
50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43  PFCELEHFCEPFFFAC
41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20  ACACACACACABL..
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:39:39.329456 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0x5C
209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:24519 IpLen:20
DgmLen:78
Len: 58
C4 CC 01 10 00 01 00 00 00 00 00 00 20 46 48 45  ............ FHE
50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43  PFCELEHFCEPFFFAC
41 43 41 43 41 43 41 43 41 43 41 42 4D 00 00 20  ACACACACACABM..
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:39:39.329871 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0x10E
209.248.9.227:138 -> 209.248.9.239:138 UDP TTL:128 TOS:0x0 ID:24775 IpLen:20
DgmLen:256
Len: 236
11 02 C4 CE D1 F8 09 E3 00 8A 00 D6 00 00 20 45  .............. E
46 43 4E 45 4E 45 42 45 4A 45 4D 43 41 43 41 43  FCNENEBEJEMCACAC
41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00  ACACACACACACAAA.
20 46 48 45 50 46 43 45 4C 45 48 46 43 45 50 46   FHEPFCELEHFCEPF
46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 41  FFACACACACACACAA
41 00 FF 53 4D 42 25 00 00 00 00 18 03 00 00 00  A..SMB%.........
00 00 00 00 00 00 00 00 00 00 00 00 FE CA 00 00  ................
00 00 11 00 00 36 00 02 00 00 00 00 00 02 00 FF  .....6..........
FF FF FF 00 00 00 00 5C 00 36 00 5C 00 03 00 01  .......\.6.\....
00 00 00 02 00 4D 00 5C 4D 41 49 4C 53 4C 4F 54  .....M.\MAILSLOT
5C 4E 45 54 5C 4E 45 54 4C 4F 47 4F 4E 00 07 00  \NET\NETLOGON...
45 2D 4D 41 49 4C 00 5C 4D 41 49 4C 53 4C 4F 54  E-MAIL.\MAILSLOT
5C 4E 45 54 5C 47 45 54 44 43 33 34 38 00 45 00  \NET\GETDC348.E.
2D 00 4D 00 41 00 49 00 4C 00 00 00 01 00 00 00  -.M.A.I.L.......
FF FF FF FF                                      ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:39:40.079727 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0x5C
209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:25031 IpLen:20
DgmLen:78
Len: 58
C4 CC 01 10 00 01 00 00 00 00 00 00 20 46 48 45  ............ FHE
50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43  PFCELEHFCEPFFFAC
41 43 41 43 41 43 41 43 41 43 41 42 4D 00 00 20  ACACACACACABM..
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/26-09:39:40.079758 0:A0:C9:12:9E:A2 -> FF:FF:FF:FF:FF:FF type:0x800
len:0x5C
209.248.9.227:137 -> 209.248.9.239:137 UDP TTL:128 TOS:0x0 ID:25287 IpLen:20
DgmLen:78
Len: 58
C4 C8 01 10 00 01 00 00 00 00 00 00 20 46 48 45  ............ FHE
50 46 43 45 4C 45 48 46 43 45 50 46 46 46 41 43  PFCELEHFCEPFFFAC
41 43 41 43 41 43 41 43 41 43 41 42 4C 00 00 20  ACACACACACABL..
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

</snip>
<snip>

Snort analyzed 95 out of 95 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 0          (0.000%)          ALERTS: 0
    UDP: 75         (78.947%)         LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 20         (21.053%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults: 0
============================================================================
===
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0
          Stream flushes: 0
           Segments used: 0
   Stream4 Memory Faults: 0
============================================================================
===
Snort received signal 2, exiting

</snip>




More information about the Snort-users mailing list