[Snort-users] ssh-tunnel between sensor and database-server

Skip Carter skip at ...1552...
Fri Aug 27 08:32:37 EDT 2004

> I have build an ssh-tunnel between my snort-sensor and my
> database-server and it seems to work.
> I had like to control this with tcpdump and it shows something like
> this:
> 	"IP1".32817 > "IP2".22 
> 	"IP2".22 > "IP1".32817

> I expect port 3306 instead of 32817 and that confuses me.
> Can anyone explain me why 32817 is used?
> Does ssh "hide" the source-port by using it?

    This just looks like the other end of your interactive session.

    I presume you are doing something like (from IP1):

    ssh -R 3306:IP2:3306 IP2

    If so, you should see on IP2 a service listening on IP2 at 3306 after you 
    authenticated.   'netstat -an' might be a more useful diagnostic to see if
    you got it working, tcpdump won't help until you start pushing data 
through it.


 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip at ...1552...
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 505 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040827/1b2fa3f4/attachment.sig>

More information about the Snort-users mailing list