[Snort-users] Capturing incoming packets?

guano at ...9464... guano at ...9464...
Fri Jun 13 15:53:06 EDT 2003


Hi,

I hope this is the appropriate forum.

I'm setting up a new net work configuration.
<ASCII-ART>

           /---Linux-----------\
           |                   |
Internet--hub--------firewall--+---LAN

</ASCII-ART>

My Linux box is dual-homed.  The internal network interface works
as a normal interface.  The external interface has un unroutable IP
address and a network connection that does not permit transmitting.
This way, I can see everything outside with no worry about something
trying to come inside.

Is there some way to configure snort to capture all packets that do not
originate from me?

For example, a TCP session normally looks like:
  SYN ->
      <- ACK
  SYN-ACK ->
      <- data
  ACK ->
  etc.
I want to capture the entire session, only when the initial SYN did not
come from me.

For example:
  not host myhostname
  -- this shows my half of the communications.
     It does capture incoming SYN requests, but it also captures every
     web reply, FTP reply, etc.  This isn't what I want.

I really want to capture "everything that is initiated from the
outside world".  Including UDP, TCP, and ICMP (ARP isn't important to me).
Basically, I want to capture everything that is not part of a session
initiated by me.
  - Keeping track of TCP sessions is feasible.
  - Keeping track of UDP and ICMP sessions (since they are stateless) is
    a little more difficult.  I'm thinking it would keep track of host/port
    in a finite timeframe.

Is this possible already?

					-Guano





More information about the Snort-users mailing list