[Snort-users] snort-inline and iptables INPUT chain

Laurent Haond lhaond at ...13100...
Wed Mar 2 11:13:02 EST 2005


Laurent Haond a écrit :

> ===================================================
>
>>
>> I will give a try  without  --enable-flexresp... 
>
>
> Still not working comiling without flexresp...
>
> :-(
>
> Laurent
>
Here are tethereal captures :

ssh establishing WITHOUT snort-inline / queue :
Capturing on eth0
  0.000000  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [SYN] Seq=0 Ack=0 
Win=5840 Len=0 MSS=1460 TSV=567646 TSER=0 WS=0
  0.000422  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=583170 TSER=567646 WS=0
  0.000456  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 Ack=1 
Win=5840 Len=0 TSV=567647 TSER=583170
  0.091878  192.168.0.2 -> 192.168.0.1  SSH Server Protocol: SSH-2.0-OpenSSH
  0.091892  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 
Ack=25 Win=5840 Len=0 TSV=567656 TSER=583180
  0.091949  192.168.0.1 -> 192.168.0.2  SSH Client Protocol: SSH-2.0-OpenSSH
  0.092158  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25 
Ack=42 Win=5792 Len=0 TSV=583180 TSER=567656
  0.092166  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Key Exchange Init
  0.092429  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25 
Ack=650 Win=6688 Len=0 TSV=583180 TSER=567656
  0.096161  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Key Exchange Init
  0.096229  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX 
Request
  0.112155  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman Key 
Exchange Reply
  0.113776  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX 
Init
  0.150941  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=785 
Ack=818 Win=7904 Len=0 TSV=583186 TSER=567658
  0.253657  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman GEX 
Reply
  0.255864  192.168.0.1 -> 192.168.0.2  SSHv2 Client: New Keys
  0.256059  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249 
Ack=834 Win=7904 Len=0 TSV=583196 TSER=567672
  0.256068  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=48
  0.256240  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249 
Ack=882 Win=7904 Len=0 TSV=583196 TSER=567672
  0.256615  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=48
  0.256922  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=64
  0.258581  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
  0.258646  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=528
  0.260759  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
  0.260799  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=96
  0.261335  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
  0.300461  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1570 
Ack=1537 Win=7904 Len=0 TSV=567677 TSER=583197

ssh establishing WITH snort-inlie /queue :
Capturing on eth0
  0.000000  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [SYN] Seq=0 Ack=0 
Win=5840 Len=0 MSS=1460 TSV=599536 TSER=0 WS=0
  0.000557  192.168.0.2 -> 192.168.0.1  TCP 22 > 32862 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=615058 TSER=599536 WS=0
  0.000577  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [ACK] Seq=1 Ack=1 
Win=5840 Len=0 TSV=599536 TSER=615058
then nothing...

Regards

Laurent




More information about the Snort-users mailing list