[Snort-users] Seeking promiscuity, finding only fidelity: frustration reigns ...

Eric Fowler eric.fowler at ...11827...
Tue Apr 23 12:16:30 EDT 2013


So I have found some info on this problem. It seems that the driver or
adapter is messing with the wireless ethernet headers in some way that
snort does not understand.

Assuming I can't reconfigure the driver or adapter, is there some way I can
configure snort (or wireshark) to correctly interpret those headers?

Eric


On Tue, Apr 23, 2013 at 8:19 AM, Russ Combs <rcombs at ...1935...> wrote:

> Yes, Snort is having the same problem as Wireshark.  There is an unknown
> 12-byte header at the start of the packet that is throwing things off.
> Also, the snaplen needs to be increased to at least 1530.  Suggest 0 (max).
>
>
> On Mon, Apr 22, 2013 at 6:48 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>
>> I should say I have noticed that my wireshark pcaps have a lot of packets
>> that are marked 'Ethernet unknown' and the IP addresses are buried in them.
>> So the wireless packets are being capped as ethernet packets and some other
>> layer is not able to figure them out and deal with the headers & all.
>>
>> Eric
>>
>>
>> On Mon, Apr 22, 2013 at 3:18 PM, Russ Combs <rcombs at ...1935...>wrote:
>>
>>>
>>>
>>> On Mon, Apr 22, 2013 at 6:14 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>>>
>>>> Hm, I attached one. It was probably stripped by the mailer.
>>>>
>>>> Am I capturing the pcap correctly? I will try to figure out how to get
>>>> it through mail
>>>>
>>>
>>> Yes
>>>
>>>>
>>>> Eric
>>>>
>>>>
>>>> On Mon, Apr 22, 2013 at 3:12 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>>
>>>>> No attachment.  You can use Snort.  Or you can use Wireshark.  If you
>>>>> want to look at the pcap, I highly recommend getting Wireshark now.
>>>>>
>>>>>
>>>>> On Mon, Apr 22, 2013 at 6:09 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>>>>>
>>>>>> Hope this is what you are looking for. I got it with snort -k none -n
>>>>>> 400 -l <path>
>>>>>>
>>>>>> If not tell me how to capture.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>> On Mon, Apr 22, 2013 at 2:58 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>>>>
>>>>>>> Can you send a pcap of that UDP / other traffic?
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 22, 2013 at 5:50 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>>>>>>>
>>>>>>>> Here is shutdown stuff (generated by snort -n 100 -k) w/out my app
>>>>>>>> generating a lot of UDP traffic, takes ~10 seconds to gather 100 packets:
>>>>>>>>
>>>>>>>> [root at ...274... rules]# snort -n 100 -k none
>>>>>>>> Running in packet dump mode
>>>>>>>>
>>>>>>>>         --== Initializing Snort ==--
>>>>>>>> Initializing Output Plugins!
>>>>>>>> pcap DAQ configured to passive.
>>>>>>>> Acquiring network traffic from "wlan0".
>>>>>>>> Decoding Ethernet
>>>>>>>>
>>>>>>>>         --== Initialization Complete ==--
>>>>>>>>
>>>>>>>>    ,,_     -*> Snort! <*-
>>>>>>>>   o"  )~   Version 2.9.4.5 GRE (Build 71)
>>>>>>>>    ''''    By Martin Roesch & The Snort Team:
>>>>>>>> http://www.snort.org/snort/snort-team
>>>>>>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>>>>>>            Using libpcap version 1.3.0
>>>>>>>>            Using PCRE version: 8.31 2012-07-06
>>>>>>>>            Using ZLIB version: 1.2.7
>>>>>>>>
>>>>>>>> Commencing packet processing (pid=21743)
>>>>>>>> 04/22-14:46:05.942809 fe80::cad7:19ff:fe79:d19f -> ff02::1
>>>>>>>>
>>>>>>>>
>>>>>>>> <...deletia..>
>>>>>>>>
>>>>>>>>
>>>>>>>> ===============================================================================
>>>>>>>> Run time for packet processing was 11.21033 seconds
>>>>>>>> Snort processed 100 packets.
>>>>>>>> Snort ran for 0 days 0 hours 0 minutes 11 seconds
>>>>>>>>    Pkts/sec:            9
>>>>>>>>
>>>>>>>> ===============================================================================
>>>>>>>> Packet I/O Totals:
>>>>>>>>    Received:          100
>>>>>>>>    Analyzed:          100 (100.000%)
>>>>>>>>     Dropped:            0 (  0.000%)
>>>>>>>>    Filtered:            0 (  0.000%)
>>>>>>>> Outstanding:            0 (  0.000%)
>>>>>>>>    Injected:            0
>>>>>>>>
>>>>>>>> ===============================================================================
>>>>>>>> Breakdown by protocol (includes rebuilt packets):
>>>>>>>>         Eth:          100 (100.000%)
>>>>>>>>        VLAN:            0 (  0.000%)
>>>>>>>>         IP4:           71 ( 71.000%)
>>>>>>>>        Frag:            0 (  0.000%)
>>>>>>>>        ICMP:            1 (  1.000%)
>>>>>>>>         UDP:            0 (  0.000%)
>>>>>>>>         TCP:           70 ( 70.000%)
>>>>>>>>         IP6:            1 (  1.000%)
>>>>>>>>     IP6 Ext:            1 (  1.000%)
>>>>>>>>    IP6 Opts:            0 (  0.000%)
>>>>>>>>       Frag6:            0 (  0.000%)
>>>>>>>>       ICMP6:            1 (  1.000%)
>>>>>>>>        UDP6:            0 (  0.000%)
>>>>>>>>        TCP6:            0 (  0.000%)
>>>>>>>>      Teredo:            0 (  0.000%)
>>>>>>>>     ICMP-IP:            0 (  0.000%)
>>>>>>>>     IP4/IP4:            0 (  0.000%)
>>>>>>>>     IP4/IP6:            0 (  0.000%)
>>>>>>>>     IP6/IP4:            0 (  0.000%)
>>>>>>>>     IP6/IP6:            0 (  0.000%)
>>>>>>>>         GRE:            0 (  0.000%)
>>>>>>>>     GRE Eth:            0 (  0.000%)
>>>>>>>>    GRE VLAN:            0 (  0.000%)
>>>>>>>>     GRE IP4:            0 (  0.000%)
>>>>>>>>     GRE IP6:            0 (  0.000%)
>>>>>>>> GRE IP6 Ext:            0 (  0.000%)
>>>>>>>>    GRE PPTP:            0 (  0.000%)
>>>>>>>>     GRE ARP:            0 (  0.000%)
>>>>>>>>     GRE IPX:            0 (  0.000%)
>>>>>>>>    GRE Loop:            0 (  0.000%)
>>>>>>>>        MPLS:            0 (  0.000%)
>>>>>>>>         ARP:            0 (  0.000%)
>>>>>>>>         IPX:            0 (  0.000%)
>>>>>>>>    Eth Loop:            0 (  0.000%)
>>>>>>>>    Eth Disc:            0 (  0.000%)
>>>>>>>>    IP4 Disc:            0 (  0.000%)
>>>>>>>>    IP6 Disc:            0 (  0.000%)
>>>>>>>>    TCP Disc:            0 (  0.000%)
>>>>>>>>    UDP Disc:            0 (  0.000%)
>>>>>>>>   ICMP Disc:            0 (  0.000%)
>>>>>>>> All Discard:            0 (  0.000%)
>>>>>>>>       Other:           28 ( 28.000%)
>>>>>>>> Bad Chk Sum:            0 (  0.000%)
>>>>>>>>     Bad TTL:            0 (  0.000%)
>>>>>>>>      S5 G 1:            0 (  0.000%)
>>>>>>>>      S5 G 2:            0 (  0.000%)
>>>>>>>>       Total:          100
>>>>>>>>
>>>>>>>> ===============================================================================
>>>>>>>> Snort exiting
>>>>>>>>
>>>>>>>> Same command, lots of UDP traffic, much faster process. Seems they
>>>>>>>> are all ending up in the 'ethernet/other' bucket.
>>>>>>>>
>>>>>>>> [root at ...274... rules]# snort -n 100 -k none
>>>>>>>> Running in packet dump mode
>>>>>>>>
>>>>>>>>         --== Initializing Snort ==--
>>>>>>>> Initializing Output Plugins!
>>>>>>>> pcap DAQ configured to passive.
>>>>>>>> Acquiring network traffic from "wlan0".
>>>>>>>> Decoding Ethernet
>>>>>>>>
>>>>>>>>         --== Initialization Complete ==--
>>>>>>>>
>>>>>>>>    ,,_     -*> Snort! <*-
>>>>>>>>   o"  )~   Version 2.9.4.5 GRE (Build 71)
>>>>>>>>    ''''    By Martin Roesch & The Snort Team:
>>>>>>>> http://www.snort.org/snort/snort-team
>>>>>>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>>>>>>            Using libpcap version 1.3.0
>>>>>>>>            Using PCRE version: 8.31 2012-07-06
>>>>>>>>            Using ZLIB version: 1.2.7
>>>>>>>>
>>>>>>>> Commencing packet processing (pid=21677)
>>>>>>>>
>>>>>>>> ===============================================================================
>>>>>>>> Run time for packet processing was 4.463474 seconds
>>>>>>>> Snort processed 100 packets.
>>>>>>>> Snort ran for 0 days 0 hours 0 minutes 4 seconds
>>>>>>>>    Pkts/sec:           25
>>>>>>>>
>>>>>>>> ===============================================================================
>>>>>>>> Packet I/O Totals:
>>>>>>>>    Received:          100
>>>>>>>>    Analyzed:          100 (100.000%)
>>>>>>>>     Dropped:            0 (  0.000%)
>>>>>>>>    Filtered:            0 (  0.000%)
>>>>>>>> Outstanding:            0 (  0.000%)
>>>>>>>>    Injected:            0
>>>>>>>>
>>>>>>>> ===============================================================================
>>>>>>>> Breakdown by protocol (includes rebuilt packets):
>>>>>>>>         Eth:          100 (100.000%)
>>>>>>>>        VLAN:            0 (  0.000%)
>>>>>>>>         IP4:            0 (  0.000%)
>>>>>>>>        Frag:            0 (  0.000%)
>>>>>>>>        ICMP:            0 (  0.000%)
>>>>>>>>         UDP:            0 (  0.000%)
>>>>>>>>         TCP:            0 (  0.000%)
>>>>>>>>         IP6:            0 (  0.000%)
>>>>>>>>     IP6 Ext:            0 (  0.000%)
>>>>>>>>    IP6 Opts:            0 (  0.000%)
>>>>>>>>       Frag6:            0 (  0.000%)
>>>>>>>>       ICMP6:            0 (  0.000%)
>>>>>>>>        UDP6:            0 (  0.000%)
>>>>>>>>        TCP6:            0 (  0.000%)
>>>>>>>>      Teredo:            0 (  0.000%)
>>>>>>>>     ICMP-IP:            0 (  0.000%)
>>>>>>>>     IP4/IP4:            0 (  0.000%)
>>>>>>>>     IP4/IP6:            0 (  0.000%)
>>>>>>>>     IP6/IP4:            0 (  0.000%)
>>>>>>>>     IP6/IP6:            0 (  0.000%)
>>>>>>>>         GRE:            0 (  0.000%)
>>>>>>>>     GRE Eth:            0 (  0.000%)
>>>>>>>>    GRE VLAN:            0 (  0.000%)
>>>>>>>>     GRE IP4:            0 (  0.000%)
>>>>>>>>     GRE IP6:            0 (  0.000%)
>>>>>>>> GRE IP6 Ext:            0 (  0.000%)
>>>>>>>>    GRE PPTP:            0 (  0.000%)
>>>>>>>>     GRE ARP:            0 (  0.000%)
>>>>>>>>     GRE IPX:            0 (  0.000%)
>>>>>>>>    GRE Loop:            0 (  0.000%)
>>>>>>>>        MPLS:            0 (  0.000%)
>>>>>>>>         ARP:            0 (  0.000%)
>>>>>>>>         IPX:            0 (  0.000%)
>>>>>>>>    Eth Loop:            0 (  0.000%)
>>>>>>>>    Eth Disc:            0 (  0.000%)
>>>>>>>>    IP4 Disc:            0 (  0.000%)
>>>>>>>>    IP6 Disc:            0 (  0.000%)
>>>>>>>>    TCP Disc:            0 (  0.000%)
>>>>>>>>    UDP Disc:            0 (  0.000%)
>>>>>>>>   ICMP Disc:            0 (  0.000%)
>>>>>>>> All Discard:            0 (  0.000%)
>>>>>>>>       Other:          100 (100.000%)
>>>>>>>> Bad Chk Sum:            0 (  0.000%)
>>>>>>>>     Bad TTL:            0 (  0.000%)
>>>>>>>>      S5 G 1:            0 (  0.000%)
>>>>>>>>      S5 G 2:            0 (  0.000%)
>>>>>>>>       Total:          100
>>>>>>>>
>>>>>>>> ===============================================================================
>>>>>>>> Snort exiting
>>>>>>>> [root at ...274... rules]#
>>>>>>>>
>>>>>>>> So at this point I need to know how to look at payloads for those
>>>>>>>> bucketed packets. The hardware, it seems, is doing what I want it to.
>>>>>>>>
>>>>>>>> Eric
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Apr 22, 2013 at 2:30 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>>>>>>
>>>>>>>>> Lots of possibilities.  Can you send shutdown or usr1 stats?
>>>>>>>>>  Checksums?  Did you try snort -k none?
>>>>>>>>>
>>>>>>>>> On Mon, Apr 22, 2013 at 4:51 PM, Eric Fowler <
>>>>>>>>> eric.fowler at ...11827...> wrote:
>>>>>>>>>
>>>>>>>>>> Story of my life ...
>>>>>>>>>>
>>>>>>>>>> I have a USB netcard that is in promiscuous mode - ifconfig says
>>>>>>>>>> it is promiscuous,and I can use Wireshark to inspect packets that are sent
>>>>>>>>>> between third party (i.e. not the machine wireshark /snort i s running on).
>>>>>>>>>> I am able to flood the network with UDP traffic of known profile. Wireshark
>>>>>>>>>> sees it. Snort does not.
>>>>>>>>>>
>>>>>>>>>> I have written a simple rule to catch all UDP traffic. It does
>>>>>>>>>> see some packets but all are local.
>>>>>>>>>>
>>>>>>>>>> What is going wrong?
>>>>>>>>>>
>>>>>>>>>> Help a lonely nerd find satisfaction, if only for tonight ....
>>>>>>>>>>
>>>>>>>>>> Eric
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>> Precog is a next-generation analytics platform capable of advanced
>>>>>>>>>> analytics on semi-structured data. The platform includes APIs for
>>>>>>>>>> building
>>>>>>>>>> apps and a phenomenal toolset for data science. Developers can use
>>>>>>>>>> our toolset for easy data analysis & visualization. Get a free
>>>>>>>>>> account!
>>>>>>>>>> http://www2.precog.com/precogplatform/slashdotnewsletter
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Snort-users mailing list
>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>
>>>>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>>>>>
>>>>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>>>>>> latest Snort news!
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130423/cbfa794d/attachment.html>


More information about the Snort-users mailing list