[Snort-users] Capturing incoming packets?

guano at ...9464... guano at ...9464...
Fri Jun 13 20:41:07 EDT 2003

Hi Erek,

Unfortunately, the option you provided will not work:

> 	snort -l <logdir> -b 'not net <local_lan>'

This will filter out things that I want to capture, such as someone
initiating a port scan against my network.
In addition, this command does not take sessions or initiation
direction into account.

What I have is a WAN connection (e.g., cable modem or DSL) and
a firewall with NAT protecting the LAN.  The firewall logs only
the basics (when, what) but not the details (packet content, fractional
packets, anything TCP beyond SYN).

My Linux IDS is tapped into the area between the WAN connection and
the firewall (e.g., DMZ).  So it is in a position to see all traffic
leaving the firewall, as well as everything that comes toward the
firewall.  In particular, it is in a position to see everything
that does not make it though the firewall.

What I want to capture are only the packets that are:
(1) Heading toward the firewall from the WAN, *and*
(2) Not in reply to anything sent out from the firewall/NAT.
Thus, only unrequested packets (sniffs, attacks, "something unexpected")
will be captured.

Are there other options?


> On Fri, 13 Jun 2003 guano at ...9464... wrote:
> [...snip...]
> > I really want to capture "everything that is initiated from the
> > outside world".  Including UDP, TCP, and ICMP (ARP isn't important to me).
> > Basically, I want to capture everything that is not part of a session
> > initiated by me.
> >   - Keeping track of TCP sessions is feasible.
> >   - Keeping track of UDP and ICMP sessions (since they are stateless) is
> >     a little more difficult.  I'm thinking it would keep track of host/port
> >     in a finite timeframe.
> >
> > Is this possible already?
> Yep.
> 	snort -l <logdir> -b 'not net <local_lan>'
> Cheers!
> -----
> Erek Adams
>    "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list