[Snort-users] snort-inline and iptables INPUT chain

Laurent Haond lhaond at ...13100...
Wed Mar 2 11:19:06 EST 2005


Will Metcalf a écrit :

>If you start snort with 
>
>snort -Q -v -c /etc/snort/snort.conf 
>
>do you see any traffic?
>
>Regards,
>
>Will
>
>  
>
Sure i see some traffic :

Here are tethereal captures (done on 192.168.0.2 which the ssh client 
with NO firewall):

=> case 1
ssh establishing WITHOUT snort-inline / queue :
Capturing on eth0
 0.000000  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [SYN] Seq=0 Ack=0 
Win=5840 Len=0 MSS=1460 TSV=567646 TSER=0 WS=0
 0.000422  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=583170 TSER=567646 WS=0
 0.000456  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 Ack=1 
Win=5840 Len=0 TSV=567647 TSER=583170
 0.091878  192.168.0.2 -> 192.168.0.1  SSH Server Protocol: SSH-2.0-OpenSSH
 0.091892  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 Ack=25 
Win=5840 Len=0 TSV=567656 TSER=583180
 0.091949  192.168.0.1 -> 192.168.0.2  SSH Client Protocol: SSH-2.0-OpenSSH
 0.092158  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25 
Ack=42 Win=5792 Len=0 TSV=583180 TSER=567656
 0.092166  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Key Exchange Init
 0.092429  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25 
Ack=650 Win=6688 Len=0 TSV=583180 TSER=567656
 0.096161  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Key Exchange Init
 0.096229  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX 
Request
 0.112155  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman Key 
Exchange Reply
 0.113776  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX 
Init
 0.150941  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=785 
Ack=818 Win=7904 Len=0 TSV=583186 TSER=567658
 0.253657  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman GEX 
Reply
 0.255864  192.168.0.1 -> 192.168.0.2  SSHv2 Client: New Keys
 0.256059  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249 
Ack=834 Win=7904 Len=0 TSV=583196 TSER=567672
 0.256068  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=48
 0.256240  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249 
Ack=882 Win=7904 Len=0 TSV=583196 TSER=567672
 0.256615  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=48
 0.256922  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=64
 0.258581  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
 0.258646  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=528
 0.260759  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
 0.260799  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=96
 0.261335  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
 0.300461  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1570 
Ack=1537 Win=7904 Len=0 TSV=567677 TSER=583197
so ok it works normally...

=> case 2:
ssh establishing WITH snort-inlie /queue :
Capturing on eth0
 0.000000  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [SYN] Seq=0 Ack=0 
Win=5840 Len=0 MSS=1460 TSV=599536 TSER=0 WS=0
 0.000557  192.168.0.2 -> 192.168.0.1  TCP 22 > 32862 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=615058 TSER=599536 WS=0
 0.000577  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [ACK] Seq=1 Ack=1 
Win=5840 Len=0 TSV=599536 TSER=615058
then nothing more is received...

But on 192.168.0.1 (snort box using snort -Q -v -c /etc/snort/snort.conf)
I see  traffic from 192.168.0.2:22 -> 192.168.0.1:32862  after that...
But this traffic is never received by 192.168.0.1 !!

Regards
Laurent





More information about the Snort-users mailing list