Re: [Snort-users] help with rules - data capturing

are you sending port 13001 traffic to the QUEUE target in iptables? -Q
tells snort to read from ipqueue instead of listen on an interface. So
if you intend to QUEUE traffic something like

iptables -I FORWARD -p tcp --sport 13001 -j QUEUE
iptables -I FORWARD -p tcp --dport 13001 -j QUEUE

or if local to the box

iptables -I INPUT -p tcp --dport 13001 -j QUEUE
iptables -I OUTPUT -p tcp --sport 13001 -j QUEUE

or if you don't want to be inline just replace -Q with -i eth0 or
whatever interface you want to listen on

On Dec 26, 2007 6:29 PM, Timothy Ding <iolabs@gmail.com> wrote:
> Thank you all for responding, I compiled 2.81 and see snort running however
> i could use more help as no data were captured although i see the data from
> tcpdump with the same machine. I also try removing all the default rules
> running snort with only 1 to avoid any contaminations. perhaps i missed
> something?
>
> ~ Tim
>
>
> alert tcp any any -> $HOME_NET 13001 (msg: "GPRMC found in packet"; \
> flow:to_server,established; content:"|24|GPRMC"; nocase; sid:9999000;)
>
> TCPDUMP results
> 16:26:09.941940 IP 209.31.36.15.ptr.us.xo.net.13001 >
> 66.xxx.xxx.xxx.static.xxx.com.26334: S 664514795:664514795(0) ack 6516 win
> 5840 <mss 1460>
>         0x0000:  4500 002c 0000 4000 4006 7202 d11f 240f  E..,..@.@.r...$.
>         0x0010:  42d8 90c3 32c9 66de 279b b0eb 0000 1974  B...2.f.'......t
>         0x0020:  6012 16d0 2cda 0000 0204 05b4            `...,.......
> 16:26:11.264892 IP 66.216.144.195.static.dejazzd.com.26334 >
> 209.xxx.xxx.xxx.ptr.xxx.net.13001: P 1:137(136) ack 1 win 8096
>         0x0000:  4500 00b0 0004 4000 eb06 c679 42d8 90c3  E.....@....yB...
>         0x0010:  d11f 240f 66de 32c9 0000 1974 279b b0ec  ..$.f.2....t'...
>         0x0020:  5018 1fa0 8f42 0000 0604 8319 8800 0000  P....B..........
>         0x0030:  6100 0000 2533 3536 3933 3930 3130 3030  a...%35693901000
>         0x0040:  3036 3736 2c24 4750 524d 432c 3030 3137  0676,$GPRMC,0017
>         0x0050:  3432 2e30 3030 2c41 2c33 3335 372e 3631  42.000,A,3357.61
>         0x0060:  3638 2c4e 2c31 3137 3536 2e38 3639 362c  68,N, 11756.8696,
>         0x0070:  572c 302e 3030 2c2c 3237 3132 3037 2c2c  W,0.00,,271207,,
>         0x0080:  2c41 2c2b 3132 3133 3833 3936 3635 332c  ,A,+12138396653,
>         0x0090:  4e30 3338 6400 0000 0000 0000 0000 0000  N038d...........
>         0x00a0:  0000 0000 0000 0000 0000 0000 ffff ffff  ................
> 16:26:11.264922 IP 209.31.36.15.ptr.us.xo.net.13001 >
> 66.xxx.xxx.xxx.static.xxx.com.26334: . ack 137 win 6432
>         0x0000:  4500 0028 9c41 4000 4006 d5c4 d11f 240f  E..(.A@.@.....$.
>         0x0010:  42d8 90c3 32c9 66de 279b b0ec 0000 19fc  B...2.f.'.......
>         0x0020:  5010 1920 41bf 0000                      P...A...
>
> Snort started with this command.
>  46480 29072 ?        S    Dec24   2:05 /home/user1/snort/snort-
> 2.8.0.1/src/snort -Qc /home/user1/snort/snort-2.8.0.1/etc/snort.conf -l
> /var/log/snort/
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users