Menu
▾
▴
Re: [Snort-inline-users] no tcp header
|
From: Will M. <wil...@gm...> - 2004-10-15 13:39:23
|
I'll assume you meant the ethernet header, in which case no it is not currently possible, because iptables removes this information. You are getting the tcp header information ;-) Regards, Will On Fri, 15 Oct 2004 11:34:06 +0200, Jochen Vogel <jv...@it...> wrote: > hi, > > im using snort_inline 2.1.3 > if i start IDS with -de i get the Ethernet Header, IP Header and the TCP > Header. > if i start IPS with -Qde i get only the IP Header > > is it possible to log the TCP Header in IPS mode? > > thx jo > > ---------------------------------------------------------------- > IPS > > [**] WEB-MISC /etc/passwd [**] > 10/15-09:41:46.075405 195.245.50.253:16365 -> 195.245.50.252:80 TCP TTL:127 > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF > ***AP*** Seq: 0x669EF8CC Ack: 0x5D3677B5 Win: 0xFAF0 TcpLen: 20 > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20 GET /etc/passwd > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host: > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A 195.245.50.252.. > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi > > ------------------------------------------------------------- > IDS > > [**] WEB-IIS scripts access [**] > 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23 type:0x800 len:0x1D1 > 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63 TOS:0x0 ID:46206 > IpLen:20 DgmLen:451 DF > ***AP*** Seq: 0xEF7AEB2D Ack: 0x6D6ECF21 Win: 0x2E TcpLen: 32 > TCP Options (3) => NOP NOP TS: 12410822 1352915474 > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C GET /scripts/onl > 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35 ine.dll?icq=2835 > 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50 06997&img=5 HTTP > 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E /1.1..Host: wwp. > 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 icq.com..User-Ag > > ------------------------------------------------------- > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal > Use IT products in your business? Tell us what you think of them. Give us > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more > http://productguide.itmanagersjournal.com/guidepromo.tmpl > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
