packets. You now have Snort ready to show packets going through the loopback interface. Switch to the ping terminal tab, and run the ping command again: [[email protected] ~]# ping ids.inse6120 Press Ctrl+C to terminate the ping command and return to the Snort terminal tab. There’ s our ICMP traffic! Waiting to be analyzed by you. Press Ctrl+C to quit Snort. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/10-21:43:33.380959 127.0.0.1 -> 127.0.0.1 ICMP TTL:64 TOS:0x0 ID:39516 IpLen:20 DgmLen:84 Type:0 Code:0 ID:56100 Seq:9 ECHO REPLY 55 8E F9 52 EC CF 05 00 08 09 0A 0B 0C 0D 0E 0F U..R ............ 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Exercise2: Study the ICMP packet capture. Is it an ECHO or ECHO REPLY packet? What’s the content of a ping packet, anyways? The left-hand side of the Snort capture displays the application data in hex. On the right-hand side you see Snort’s attempt to translate the hex data into ASCII. Did Snort translate the ping application data correctly?
Packet Logger Mode You probably noticed that the Snort output flies over the screen very quickly. Instead of displaying the output to stdout , we can tell Snort to write it to a log file. [[email protected] rules]# cd ~ [[email protected] ~]# mkdir log [[email protected] ~]# snort -vd -l log -i lo Running in packet logging mode --== Initializing Snort ==-- Initializing Output Plugins! Log directory = log pcap DAQ configured to passive. Acquiring network traffic from "lo". Decoding Ethernet --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 184.108.40.206 GRE (Build 205) '''' By Martin Roesch & The Snort Team: - team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.2 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 Commencing packet processing (pid=9550) We first created a directory to hold the logs, and then started Snort in packet logging mode (using the – l option). Open a new terminal tab an d this time let’s SSH to ourselves. Confirm the key prompt (if needed) and type exit to close the SSH connection. [[email protected] snort]# ssh ids.inse6120 [email protected]'s password: [[email protected] ~]# exit logout Connection to ids.inse6120 closed. Let’ s go back to our S nort terminal tab. There’s no change on the screen because Snort is running in packet logging mode. Press Ctrl+C and look at the statistics. How many TCP packets were captured? Change the directory to log and look at the file type. [[email protected] ~]# cd log [[email protected] log]# ll total 12 -rw-------. 1 root root 10070 Feb 10 22:05 snort.log.1392087679 [[email protected] log]# file snort.log.1392087679 snort.log.1392087679: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)