Re: snort-inline and iptables INPUT chain

[Laurent Haond <lhaond () bearstech com>]

Laurent Haond a écrit :

> ===================================================
>
> > I will give a try  without  --enable-flexresp... 
>
>
> Still not working comiling without flexresp...
>
> :-(
>
> Laurent
Here are tethereal captures :

ssh establishing WITHOUT snort-inline / queue :
Capturing on eth0
 0.000000  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [SYN] Seq=0 Ack=0 
Win=5840 Len=0 MSS=1460 TSV=567646 TSER=0 WS=0
 0.000422  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=583170 TSER=567646 WS=0
 0.000456  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 Ack=1 
Win=5840 Len=0 TSV=567647 TSER=583170
 0.091878  192.168.0.2 -> 192.168.0.1  SSH Server Protocol: SSH-2.0-OpenSSH
 0.091892  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 
Ack=25 Win=5840 Len=0 TSV=567656 TSER=583180
 0.091949  192.168.0.1 -> 192.168.0.2  SSH Client Protocol: SSH-2.0-OpenSSH
 0.092158  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25 
Ack=42 Win=5792 Len=0 TSV=583180 TSER=567656
 0.092166  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Key Exchange Init
 0.092429  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25 
Ack=650 Win=6688 Len=0 TSV=583180 TSER=567656
 0.096161  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Key Exchange Init
 0.096229  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX 
Request
 0.112155  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman Key 
Exchange Reply
 0.113776  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX 
Init
 0.150941  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=785 
Ack=818 Win=7904 Len=0 TSV=583186 TSER=567658
 0.253657  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman GEX 
Reply
 0.255864  192.168.0.1 -> 192.168.0.2  SSHv2 Client: New Keys
 0.256059  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249 
Ack=834 Win=7904 Len=0 TSV=583196 TSER=567672
 0.256068  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=48
 0.256240  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249 
Ack=882 Win=7904 Len=0 TSV=583196 TSER=567672
 0.256615  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=48
 0.256922  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=64
 0.258581  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
 0.258646  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=528
 0.260759  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
 0.260799  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet 
len=96
 0.261335  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet 
len=80
 0.300461  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1570 
Ack=1537 Win=7904 Len=0 TSV=567677 TSER=583197

ssh establishing WITH snort-inlie /queue :
Capturing on eth0
 0.000000  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [SYN] Seq=0 Ack=0 
Win=5840 Len=0 MSS=1460 TSV=599536 TSER=0 WS=0
 0.000557  192.168.0.2 -> 192.168.0.1  TCP 22 > 32862 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=615058 TSER=599536 WS=0
 0.000577  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [ACK] Seq=1 Ack=1 
Win=5840 Len=0 TSV=599536 TSER=615058
then nothing...

Regards

Laurent


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users