Menu
▾
▴
[Snort-inline-users] Having problem with tcp packets filtering
|
From: Yogdutt S. <son...@gm...> - 2004-10-20 10:58:46
|
Hi Everybody, I'm getting a problem with filtering tcp packets through snort_inline. snort_inline is working properly and I can drop and replace actions are working properly on icmp packets, for icmp packets I have put an iptables rule, iptables -A INPUT -p icmp -d 192.168.1.11/32 -j QUEUE I have given same iptables rule for tcp packet, iptables -A INPUT -p tcp --sport 80 -d 192.168.1.11/32 -j QUEUE and I have also added an alert rule in local.rules file, alert tcp any 80 -> 192.168.1.11/32 any (msg:"HTTP Protocol Active";) and I am giving a command, snort_inline -Qdvc /etc/snort_inline.conf -l /var/log/snort as per given 'd' and 'v' options i got output on console as below for tcp packets, =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/20-16:04:57.988479 66.102.9.104:80 -> 192.168.11.5:32854 TCP TTL:62 TOS:0x0 ID:39096 IpLen:20 DgmLen:64 DF ***A**S* Seq: 0x636D1F89 Ack: 0xED7F232A Win: 0x4470 TcpLen: 44 TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS: 277264730 2389497 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/20-16:04:58.648405 66.102.9.104:80 -> 192.168.11.5:32853 TCP TTL:62 TOS:0x0 ID:43192 IpLen:20 DgmLen:64 DF ***A**S* Seq: 0x3A3C271A Ack: 0xE8ACA1CA Win: 0x4470 TcpLen: 44 TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS: 277264796 2384757 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/20-16:05:03.975030 66.102.9.104:80 -> 192.168.11.5:32854 TCP TTL:62 TOS:0x0 ID:45496 IpLen:20 DgmLen:64 DF ***A**S* Seq: 0x636D1F89 Ack: 0xED7F232A Win: 0x4470 TcpLen: 44 TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS: 277265328 2390697 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Here we can see that SYN and ACK flag enabled tcp packets are coming into picture, I can't find other than those packrts. Please tell me where i am wrong? Thanks in Advance. -- Yogdutt Sonivadia Apropos Infotech Pvt. Ltd. Bangalore, India |
