Re: AW: [Snort-inline-users] no tcp header

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

The TCP header is in the IPS example.  It shows the source/destination
ports, Sequence/Ack numbers, TCP Flags, Window Size and TCP Length, what
is it that you think you are missing?

> the problem is that the payload exist but the tcp header is missing.
> see the IPS log example.
>
>
>> I'll assume you meant the ethernet header, in which case no it is not
>> currently possible, because iptables removes this information.  You
>> are getting the tcp header information ;-)
>
>> >
>> > im using snort_inline 2.1.3
>> > if i start IDS with -de i get the Ethernet Header, IP
>> Header and the TCP
>> > Header.
>> > if i start IPS with -Qde i get only the IP Header
>> >
>> > is it possible to log the TCP Header in IPS mode?
>> >
>> > thx jo
>> >
>> > ----------------------------------------------------------------
>> > IPS
>> >
>> > [**] WEB-MISC /etc/passwd [**]
>> > 10/15-09:41:46.075405 195.245.50.253:16365 ->
>> 195.245.50.252:80 TCP TTL:127
>> > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
>> > ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
>> > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
>> > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
>> > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
>> > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
>> >
>> > -------------------------------------------------------------
>> > IDS
>> >
>> > [**] WEB-IIS scripts access [**]
>> > 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23
>> type:0x800 len:0x1D1
>> > 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63
>> TOS:0x0 ID:46206
>> > IpLen:20 DgmLen:451 DF
>> > ***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
>> > TCP Options (3) => NOP NOP TS: 12410822 1352915474
>> > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
>> > 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
>> > 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
>> > 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
>> > 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag
>> >
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

-- 
Thanks,
Josh Berry | CISSP GCIA
Principal Engineer
LinkNet-Solutions
469-831-8543
jos...@li...