snort-inline-users

[Snort-inline-users] no tcp header

[Jochen V. <jv...@it...>]

hi,

im using snort_inline 2.1.3
if i start IDS with -de i get the Ethernet Header, IP Header and the TCP
Header.
if i start IPS with -Qde i get only the IP Header

is it possible to log the TCP Header in IPS mode?

thx jo


----------------------------------------------------------------
IPS

[**] WEB-MISC /etc/passwd [**]
10/15-09:41:46.075405 195.245.50.253:16365 -> 195.245.50.252:80 TCP TTL:127
TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd 
48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host: 
31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi

-------------------------------------------------------------
IDS

[**] WEB-IIS scripts access [**]
10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23 type:0x800 len:0x1D1
195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63 TOS:0x0 ID:46206
IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
TCP Options (3) => NOP NOP TS: 12410822 1352915474 
47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag

Re: [Snort-inline-users] no tcp header

[Will M. <wil...@gm...>]

I'll assume you meant the ethernet header, in which case no it is not
currently possible, because iptables removes this information.  You
are getting the tcp header information ;-)

Regards,

Will


On Fri, 15 Oct 2004 11:34:06 +0200, Jochen Vogel <jv...@it...> wrote:
> hi,
> 
> im using snort_inline 2.1.3
> if i start IDS with -de i get the Ethernet Header, IP Header and the TCP
> Header.
> if i start IPS with -Qde i get only the IP Header
> 
> is it possible to log the TCP Header in IPS mode?
> 
> thx jo
> 
> ----------------------------------------------------------------
> IPS
> 
> [**] WEB-MISC /etc/passwd [**]
> 10/15-09:41:46.075405 195.245.50.253:16365 -> 195.245.50.252:80 TCP TTL:127
> TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
> 
> -------------------------------------------------------------
> IDS
> 
> [**] WEB-IIS scripts access [**]
> 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23 type:0x800 len:0x1D1
> 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63 TOS:0x0 ID:46206
> IpLen:20 DgmLen:451 DF
> ***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 12410822 1352915474
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
> 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
> 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
> 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
> 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>