[Snort-users] Capturing incoming packets?

guano at ...9464... guano at ...9464...
Sat Jun 14 15:35:09 EDT 2003


Hi Erek,

This command still won't cut it.

> 	snort -l <dir> -b 'not src <IP>'

Consider this:
I use a web browser to connect to google.

   HTTP -> google     = filtered by 'not src <IP>'
   google -> reply    = NOT filtered by 'not src <IP>'

Or, in more detail:
   <IP>        google          captured by snort?
   -----       -------         ------------------
   SYN   ->                    filtered
         <-    SYN,ACK         NOT filtered
   ACK   ->                    filtered
   HTTP  ->                    filtered
         <-    ACK             NOT filtered
         <-    HTTP reply      NOT filtered
   ACK   ->                    filtered
         <-    FIN,ACK         NOT filtered
   ACK   ->                    filtered
   
Thus, snort will capture exactly half of this session.

Since the entire session was initiated by <IP>, I want the entire
session filtered.  Not just the requests, but the replies as well.
Any snort option that does not take session-tracking into account will
be unable to do this.

Is there a method for snort to capture everything that is not part of
a session initiated by <IP>?

					-guano


> On Fri, 13 Jun 2003 guano at ...9464... wrote:
> 
> > Unfortunately, the option you provided will not work:
> >
> > > 	snort -l <logdir> -b 'not net <local_lan>'
> >
> > This will filter out things that I want to capture, such as someone
> > initiating a port scan against my network.
> > In addition, this command does not take sessions or initiation
> > direction into account.
> 
> My bad.  I forgot one part:
> 
> 	'src not net <local>'
> 
> After reading the below, I realized that you're going to have some
> issues, so that may not work as you want.
> 
> > What I have is a WAN connection (e.g., cable modem or DSL) and
> > a firewall with NAT protecting the LAN.  The firewall logs only
> > the basics (when, what) but not the details (packet content, fractional
> > packets, anything TCP beyond SYN).
> >
> > My Linux IDS is tapped into the area between the WAN connection and
> > the firewall (e.g., DMZ).  So it is in a position to see all traffic
> > leaving the firewall, as well as everything that comes toward the
> > firewall.  In particular, it is in a position to see everything
> > that does not make it though the firewall.
> >
> > What I want to capture are only the packets that are:
> > (1) Heading toward the firewall from the WAN, *and*
> 
> Easy enough.  Since you're using NAT, all you need is the "front" IP of
> the firewall.  Then just do something like:
> 
> 	snort -l <dir> -b 'not src <IP>'
> 
> > (2) Not in reply to anything sent out from the firewall/NAT.
> 
> Easily done.  See above.
> 
> > Thus, only unrequested packets (sniffs, attacks, "something unexpected")
> > will be captured.
> 
> Well, for what you want, you might be better off using tcpdump.  You don't
> seem to care about the rules, you just want the traffic.  If that's the
> case just use tcpdump instead.
> 
> If you do care about the rules, just write some that ignore what you want
> and alert on everything else.
> 
> 	alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "Incoming port
> 22 connection.';)
> 
> There's been some good threads on 'anomaly detection' in the archives.
> I'd suggest you read over that and make use of some of those ideas/rules.
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."   H.S. Thompson
> 





More information about the Snort-users mailing list