[Snort-users] Seeking promiscuity, finding only fidelity: frustration reigns ...

Russ Combs rcombs at ...1935...
Tue Apr 23 11:19:24 EDT 2013


Yes, Snort is having the same problem as Wireshark.  There is an unknown
12-byte header at the start of the packet that is throwing things off.
Also, the snaplen needs to be increased to at least 1530.  Suggest 0 (max).

On Mon, Apr 22, 2013 at 6:48 PM, Eric Fowler <eric.fowler at ...11827...> wrote:

> I should say I have noticed that my wireshark pcaps have a lot of packets
> that are marked 'Ethernet unknown' and the IP addresses are buried in them.
> So the wireless packets are being capped as ethernet packets and some other
> layer is not able to figure them out and deal with the headers & all.
>
> Eric
>
>
> On Mon, Apr 22, 2013 at 3:18 PM, Russ Combs <rcombs at ...1935...> wrote:
>
>>
>>
>> On Mon, Apr 22, 2013 at 6:14 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>>
>>> Hm, I attached one. It was probably stripped by the mailer.
>>>
>>> Am I capturing the pcap correctly? I will try to figure out how to get
>>> it through mail
>>>
>>
>> Yes
>>
>>>
>>> Eric
>>>
>>>
>>> On Mon, Apr 22, 2013 at 3:12 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>
>>>> No attachment.  You can use Snort.  Or you can use Wireshark.  If you
>>>> want to look at the pcap, I highly recommend getting Wireshark now.
>>>>
>>>>
>>>> On Mon, Apr 22, 2013 at 6:09 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>>>>
>>>>> Hope this is what you are looking for. I got it with snort -k none -n
>>>>> 400 -l <path>
>>>>>
>>>>> If not tell me how to capture.
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>> On Mon, Apr 22, 2013 at 2:58 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>>>
>>>>>> Can you send a pcap of that UDP / other traffic?
>>>>>>
>>>>>>
>>>>>> On Mon, Apr 22, 2013 at 5:50 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>>>>>>
>>>>>>> Here is shutdown stuff (generated by snort -n 100 -k) w/out my app
>>>>>>> generating a lot of UDP traffic, takes ~10 seconds to gather 100 packets:
>>>>>>>
>>>>>>> [root at ...274... rules]# snort -n 100 -k none
>>>>>>> Running in packet dump mode
>>>>>>>
>>>>>>>         --== Initializing Snort ==--
>>>>>>> Initializing Output Plugins!
>>>>>>> pcap DAQ configured to passive.
>>>>>>> Acquiring network traffic from "wlan0".
>>>>>>> Decoding Ethernet
>>>>>>>
>>>>>>>         --== Initialization Complete ==--
>>>>>>>
>>>>>>>    ,,_     -*> Snort! <*-
>>>>>>>   o"  )~   Version 2.9.4.5 GRE (Build 71)
>>>>>>>    ''''    By Martin Roesch & The Snort Team:
>>>>>>> http://www.snort.org/snort/snort-team
>>>>>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>>>>>            Using libpcap version 1.3.0
>>>>>>>            Using PCRE version: 8.31 2012-07-06
>>>>>>>            Using ZLIB version: 1.2.7
>>>>>>>
>>>>>>> Commencing packet processing (pid=21743)
>>>>>>> 04/22-14:46:05.942809 fe80::cad7:19ff:fe79:d19f -> ff02::1
>>>>>>>
>>>>>>>
>>>>>>> <...deletia..>
>>>>>>>
>>>>>>>
>>>>>>> ===============================================================================
>>>>>>> Run time for packet processing was 11.21033 seconds
>>>>>>> Snort processed 100 packets.
>>>>>>> Snort ran for 0 days 0 hours 0 minutes 11 seconds
>>>>>>>    Pkts/sec:            9
>>>>>>>
>>>>>>> ===============================================================================
>>>>>>> Packet I/O Totals:
>>>>>>>    Received:          100
>>>>>>>    Analyzed:          100 (100.000%)
>>>>>>>     Dropped:            0 (  0.000%)
>>>>>>>    Filtered:            0 (  0.000%)
>>>>>>> Outstanding:            0 (  0.000%)
>>>>>>>    Injected:            0
>>>>>>>
>>>>>>> ===============================================================================
>>>>>>> Breakdown by protocol (includes rebuilt packets):
>>>>>>>         Eth:          100 (100.000%)
>>>>>>>        VLAN:            0 (  0.000%)
>>>>>>>         IP4:           71 ( 71.000%)
>>>>>>>        Frag:            0 (  0.000%)
>>>>>>>        ICMP:            1 (  1.000%)
>>>>>>>         UDP:            0 (  0.000%)
>>>>>>>         TCP:           70 ( 70.000%)
>>>>>>>         IP6:            1 (  1.000%)
>>>>>>>     IP6 Ext:            1 (  1.000%)
>>>>>>>    IP6 Opts:            0 (  0.000%)
>>>>>>>       Frag6:            0 (  0.000%)
>>>>>>>       ICMP6:            1 (  1.000%)
>>>>>>>        UDP6:            0 (  0.000%)
>>>>>>>        TCP6:            0 (  0.000%)
>>>>>>>      Teredo:            0 (  0.000%)
>>>>>>>     ICMP-IP:            0 (  0.000%)
>>>>>>>     IP4/IP4:            0 (  0.000%)
>>>>>>>     IP4/IP6:            0 (  0.000%)
>>>>>>>     IP6/IP4:            0 (  0.000%)
>>>>>>>     IP6/IP6:            0 (  0.000%)
>>>>>>>         GRE:            0 (  0.000%)
>>>>>>>     GRE Eth:            0 (  0.000%)
>>>>>>>    GRE VLAN:            0 (  0.000%)
>>>>>>>     GRE IP4:            0 (  0.000%)
>>>>>>>     GRE IP6:            0 (  0.000%)
>>>>>>> GRE IP6 Ext:            0 (  0.000%)
>>>>>>>    GRE PPTP:            0 (  0.000%)
>>>>>>>     GRE ARP:            0 (  0.000%)
>>>>>>>     GRE IPX:            0 (  0.000%)
>>>>>>>    GRE Loop:            0 (  0.000%)
>>>>>>>        MPLS:            0 (  0.000%)
>>>>>>>         ARP:            0 (  0.000%)
>>>>>>>         IPX:            0 (  0.000%)
>>>>>>>    Eth Loop:            0 (  0.000%)
>>>>>>>    Eth Disc:            0 (  0.000%)
>>>>>>>    IP4 Disc:            0 (  0.000%)
>>>>>>>    IP6 Disc:            0 (  0.000%)
>>>>>>>    TCP Disc:            0 (  0.000%)
>>>>>>>    UDP Disc:            0 (  0.000%)
>>>>>>>   ICMP Disc:            0 (  0.000%)
>>>>>>> All Discard:            0 (  0.000%)
>>>>>>>       Other:           28 ( 28.000%)
>>>>>>> Bad Chk Sum:            0 (  0.000%)
>>>>>>>     Bad TTL:            0 (  0.000%)
>>>>>>>      S5 G 1:            0 (  0.000%)
>>>>>>>      S5 G 2:            0 (  0.000%)
>>>>>>>       Total:          100
>>>>>>>
>>>>>>> ===============================================================================
>>>>>>> Snort exiting
>>>>>>>
>>>>>>> Same command, lots of UDP traffic, much faster process. Seems they
>>>>>>> are all ending up in the 'ethernet/other' bucket.
>>>>>>>
>>>>>>> [root at ...274... rules]# snort -n 100 -k none
>>>>>>> Running in packet dump mode
>>>>>>>
>>>>>>>         --== Initializing Snort ==--
>>>>>>> Initializing Output Plugins!
>>>>>>> pcap DAQ configured to passive.
>>>>>>> Acquiring network traffic from "wlan0".
>>>>>>> Decoding Ethernet
>>>>>>>
>>>>>>>         --== Initialization Complete ==--
>>>>>>>
>>>>>>>    ,,_     -*> Snort! <*-
>>>>>>>   o"  )~   Version 2.9.4.5 GRE (Build 71)
>>>>>>>    ''''    By Martin Roesch & The Snort Team:
>>>>>>> http://www.snort.org/snort/snort-team
>>>>>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>>>>>            Using libpcap version 1.3.0
>>>>>>>            Using PCRE version: 8.31 2012-07-06
>>>>>>>            Using ZLIB version: 1.2.7
>>>>>>>
>>>>>>> Commencing packet processing (pid=21677)
>>>>>>>
>>>>>>> ===============================================================================
>>>>>>> Run time for packet processing was 4.463474 seconds
>>>>>>> Snort processed 100 packets.
>>>>>>> Snort ran for 0 days 0 hours 0 minutes 4 seconds
>>>>>>>    Pkts/sec:           25
>>>>>>>
>>>>>>> ===============================================================================
>>>>>>> Packet I/O Totals:
>>>>>>>    Received:          100
>>>>>>>    Analyzed:          100 (100.000%)
>>>>>>>     Dropped:            0 (  0.000%)
>>>>>>>    Filtered:            0 (  0.000%)
>>>>>>> Outstanding:            0 (  0.000%)
>>>>>>>    Injected:            0
>>>>>>>
>>>>>>> ===============================================================================
>>>>>>> Breakdown by protocol (includes rebuilt packets):
>>>>>>>         Eth:          100 (100.000%)
>>>>>>>        VLAN:            0 (  0.000%)
>>>>>>>         IP4:            0 (  0.000%)
>>>>>>>        Frag:            0 (  0.000%)
>>>>>>>        ICMP:            0 (  0.000%)
>>>>>>>         UDP:            0 (  0.000%)
>>>>>>>         TCP:            0 (  0.000%)
>>>>>>>         IP6:            0 (  0.000%)
>>>>>>>     IP6 Ext:            0 (  0.000%)
>>>>>>>    IP6 Opts:            0 (  0.000%)
>>>>>>>       Frag6:            0 (  0.000%)
>>>>>>>       ICMP6:            0 (  0.000%)
>>>>>>>        UDP6:            0 (  0.000%)
>>>>>>>        TCP6:            0 (  0.000%)
>>>>>>>      Teredo:            0 (  0.000%)
>>>>>>>     ICMP-IP:            0 (  0.000%)
>>>>>>>     IP4/IP4:            0 (  0.000%)
>>>>>>>     IP4/IP6:            0 (  0.000%)
>>>>>>>     IP6/IP4:            0 (  0.000%)
>>>>>>>     IP6/IP6:            0 (  0.000%)
>>>>>>>         GRE:            0 (  0.000%)
>>>>>>>     GRE Eth:            0 (  0.000%)
>>>>>>>    GRE VLAN:            0 (  0.000%)
>>>>>>>     GRE IP4:            0 (  0.000%)
>>>>>>>     GRE IP6:            0 (  0.000%)
>>>>>>> GRE IP6 Ext:            0 (  0.000%)
>>>>>>>    GRE PPTP:            0 (  0.000%)
>>>>>>>     GRE ARP:            0 (  0.000%)
>>>>>>>     GRE IPX:            0 (  0.000%)
>>>>>>>    GRE Loop:            0 (  0.000%)
>>>>>>>        MPLS:            0 (  0.000%)
>>>>>>>         ARP:            0 (  0.000%)
>>>>>>>         IPX:            0 (  0.000%)
>>>>>>>    Eth Loop:            0 (  0.000%)
>>>>>>>    Eth Disc:            0 (  0.000%)
>>>>>>>    IP4 Disc:            0 (  0.000%)
>>>>>>>    IP6 Disc:            0 (  0.000%)
>>>>>>>    TCP Disc:            0 (  0.000%)
>>>>>>>    UDP Disc:            0 (  0.000%)
>>>>>>>   ICMP Disc:            0 (  0.000%)
>>>>>>> All Discard:            0 (  0.000%)
>>>>>>>       Other:          100 (100.000%)
>>>>>>> Bad Chk Sum:            0 (  0.000%)
>>>>>>>     Bad TTL:            0 (  0.000%)
>>>>>>>      S5 G 1:            0 (  0.000%)
>>>>>>>      S5 G 2:            0 (  0.000%)
>>>>>>>       Total:          100
>>>>>>>
>>>>>>> ===============================================================================
>>>>>>> Snort exiting
>>>>>>> [root at ...274... rules]#
>>>>>>>
>>>>>>> So at this point I need to know how to look at payloads for those
>>>>>>> bucketed packets. The hardware, it seems, is doing what I want it to.
>>>>>>>
>>>>>>> Eric
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 22, 2013 at 2:30 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>>>>>
>>>>>>>> Lots of possibilities.  Can you send shutdown or usr1 stats?
>>>>>>>>  Checksums?  Did you try snort -k none?
>>>>>>>>
>>>>>>>> On Mon, Apr 22, 2013 at 4:51 PM, Eric Fowler <eric.fowler at ...11827...
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Story of my life ...
>>>>>>>>>
>>>>>>>>> I have a USB netcard that is in promiscuous mode - ifconfig says
>>>>>>>>> it is promiscuous,and I can use Wireshark to inspect packets that are sent
>>>>>>>>> between third party (i.e. not the machine wireshark /snort i s running on).
>>>>>>>>> I am able to flood the network with UDP traffic of known profile. Wireshark
>>>>>>>>> sees it. Snort does not.
>>>>>>>>>
>>>>>>>>> I have written a simple rule to catch all UDP traffic. It does see
>>>>>>>>> some packets but all are local.
>>>>>>>>>
>>>>>>>>> What is going wrong?
>>>>>>>>>
>>>>>>>>> Help a lonely nerd find satisfaction, if only for tonight ....
>>>>>>>>>
>>>>>>>>> Eric
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>> Precog is a next-generation analytics platform capable of advanced
>>>>>>>>> analytics on semi-structured data. The platform includes APIs for
>>>>>>>>> building
>>>>>>>>> apps and a phenomenal toolset for data science. Developers can use
>>>>>>>>> our toolset for easy data analysis & visualization. Get a free
>>>>>>>>> account!
>>>>>>>>> http://www2.precog.com/precogplatform/slashdotnewsletter
>>>>>>>>> _______________________________________________
>>>>>>>>> Snort-users mailing list
>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>> Snort-users list archive:
>>>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>>>>
>>>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>>>>> latest Snort news!
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130423/3994dbfa/attachment.html>


More information about the Snort-users mailing list