Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Logging traffic on Win2k loopback adaptor

From: Max Walshe <MWalshe () BARf1 com>
Date: Fri, 25 Jun 2004 10:24:34 +0100
I'm trying to log traffic between a client and server running on the same
Win2k machine.
I've installed the loopback adaptor and verified the client can connect to
the server using the loopback address (169.254.25.129).
However, I can't get Snort (v2.1.3) to log any traffic on that adaptor.

Can Snort log local traffic on Win2k? If so, what have I missed?

I've tried using Snort's -I option to set the interface but that doesn't
help either.
My rules do log traffic from a remote machine so I'm happy that's doing what
I want it to.

Below are my rules, ipconfig output and Snort -W output.

Any help much appreciated.

Thanks in advance

Max


Snort Rules File
----------------

var LOOPBACK_ADDR 169.254.25.129/32
var SERVER_ADDR   10.3.1.33/32
var CLIENT_ADDR   any

log tcp $CLIENT_ADDR any -> $SERVER_ADDR 2188
log tcp $SERVER_ADDR 2188 -> $CLIENT_ADDR any

log tcp $CLIENT_ADDR any -> $LOOPBACK_ADDR 2188
log tcp $LOOPBACK_ADDR 2188 -> $CLIENT_ADDR any



IPCONFIG Output
----------------

Windows 2000 IP Configuration

Ethernet adapter Loopback Adapter:

        Connection-specific DNS Suffix  . :
        Autoconfiguration IP Address. . . : 169.254.25.129
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . :

Ethernet adapter COPPER NIC:

        Connection-specific DNS Suffix  . : baracing.co.uk
        IP Address. . . . . . . . . . . . : 10.3.1.33
        Subnet Mask . . . . . . . . . . . : 255.255.252.0
        Default Gateway . . . . . . . . . : 10.3.2.254

SNORT -W output
----------------

Version 2.1.3-ODBC-MySQL-MSSQL-FlexRESP-WIN32 (Build 27)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8 - 2.1 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)

Interface       Device          Description
-------------------------------------------
1  \Device\NPF_{F097A79F-6051-4AE1-922F-B51B23501853} (Intel 8255x-based
Integrated Fast Ethernet)
2 \Device\NPF_{1725E6F3-C7B5-4F53-AFAA-1BD88C0504B2} (MS LoopBack Driver)
Previous By Date Next
Previous By Thread Next

Current thread: