RE: Snort Output v. Iptables Log

RE: Snort Output v. Iptables Log

[Daniel Chemko]

Maybe this is because snort is running in promisc mode and listening to
packets that aren't destined for the machine, whereas the Netfilter
never sees them because the packets are dropped at a later level?

239.* is multicast, so maybe your firewall discards multicast packets by
policy before filtering?

Quote from RFC 3171:

239.0.0.0   - 239.255.255.255 (239/8)       Administratively Scoped
                                               Block

-----Original Message-----
From: David C. Hart [mailto:DCH@TQMcube.com] 
Sent: Tuesday, November 04, 2003 2:25 PM
To: iptables mailing list
Subject: Snort Output v. Iptables Log

If I run snort, I get tons of these from a neighboring IP (I'm assuming
"dirty" windows in contrast to anything malicious BTW).
----------------------------
[**] MISC UPnP malformed advertisement [**]
11/04-16:25:15.492306 151.202.17.22:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:1 IpLen:20 DgmLen:355
Len: 327
---------------------------
None of these packets get logged by IPTables. To be sure, I added a
"kitchen sink" rule at the very top specific to the offending IP with no
parameters:

-A INPUT -s 151.202.17.22 -j LOG  --log-prefix "Firewall: " --log-level
debug --log-tcp-sequence --log-tcp-options --log-ip-options

Any ideas? What am I not understanding?

Re: Snort Output v. Iptables Log

[Cedric Blancher]

Le mar 04/11/2003 à 23:25, David C. Hart a écrit :
> If I run snort, I get tons of these from a neighboring IP (I'm assuming
> "dirty" windows in contrast to anything malicious BTW).
> ----------------------------
> [**] MISC UPnP malformed advertisement [**]
> 11/04-16:25:15.492306 151.202.17.22:1901 -> 239.255.255.250:1900
> UDP TTL:150 TOS:0x0 ID:1 IpLen:20 DgmLen:355
> Len: 327
> ---------------------------

Destination is 239.255.255.250 which is a multicast address.

> None of these packets get logged by IPTables. To be sure, I added a
> "kitchen sink" rule at the very top specific to the offending IP with no
> parameters:
> -A INPUT -s 151.202.17.22 -j LOG  --log-prefix "Firewall: " --log-level
> debug --log-tcp-sequence --log-tcp-options --log-ip-options

You won't see theses packets in INPUT chain unless your box is listening
to this very multicast address. Maybe you can try to catch it on
PREROUTING chain in mangle table...

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Snort Output v. Iptables Log

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 691 bytes --]

If I run snort, I get tons of these from a neighboring IP (I'm assuming
"dirty" windows in contrast to anything malicious BTW).
----------------------------
[**] MISC UPnP malformed advertisement [**]
11/04-16:25:15.492306 151.202.17.22:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:1 IpLen:20 DgmLen:355
Len: 327
---------------------------
None of these packets get logged by IPTables. To be sure, I added a
"kitchen sink" rule at the very top specific to the offending IP with no
parameters:

-A INPUT -s 151.202.17.22 -j LOG  --log-prefix "Firewall: " --log-level
debug --log-tcp-sequence --log-tcp-options --log-ip-options

Any ideas? What am I not understanding?

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]