Snort 嗅探模式

本文共有7346个字,关键词:snort嗅探模式

嗅探模式

首先,让我们从基础开始。如果您只想将TCP/IP数据包报头打印到屏幕上(即嗅探模式),请尝试以下操作:

snort -v
[root@metatron ~]# snort -v
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.14.1 GRE (Build 15003)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=8242)
09/13-13:13:07.791641 172.17.253.87:22 -> 14.23.168.98:17109
TCP TTL:64 TOS:0x10 ID:55653 IpLen:20 DgmLen:456 DF
***AP*** Seq: 0x7DC4C6A1  Ack: 0xA660D190  Win: 0x14C  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WARNING: No preprocessors configured for policy 0.
09/13-13:13:07.872873 14.23.168.98:17109 -> 172.17.253.87:22
TCP TTL:48 TOS:0x14 ID:17295 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xA660D190  Ack: 0x7DC4C841  Win: 0xFC  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-13:13:08.792850 172.17.253.87:22 -> 14.23.168.98:17109
TCP TTL:64 TOS:0x10 ID:55654 IpLen:20 DgmLen:328 DF
***AP*** Seq: 0x7DC4C841  Ack: 0xA660D190  Win: 0x14C  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

此命令将运行Snort,只显示IP和TCP/UDP/ICMP报头,没有其他内容。如果要查看正在传输的应用程序数据,请尝试以下操作:

snort -vd
[root@metatron ~]# snort -vd
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.14.1 GRE (Build 15003)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=8253)
09/13-13:16:20.285274 172.17.253.87:22 -> 14.23.168.98:17109
TCP TTL:64 TOS:0x10 ID:55694 IpLen:20 DgmLen:104 DF
***AP*** Seq: 0x7DC4D631  Ack: 0xA660DEE0  Win: 0x15D  TcpLen: 20
CC DF 9C F3 09 40 CA 8B 0E 09 7B 62 96 0D 6C B0  .....@....{b..l.
12 11 60 64 3D 6E D3 6A B3 36 BC 91 9E E4 7F 66  ..`d=n.j.6.....f
A8 DB B9 14 1E CD 5C 76 D7 2C D3 71 13 A9 E8 27  ......\v.,.q...'
47 79 DC 13 18 09 4B BD 44 35 8F 6C 1D 50 9A 18  Gy....K.D5.l.P..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WARNING: No preprocessors configured for policy 0.
09/13-13:16:20.372325 14.23.168.98:17109 -> 172.17.253.87:22
TCP TTL:48 TOS:0x14 ID:17372 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xA660DEE0  Ack: 0x7DC4D671  Win: 0xFF  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-13:16:21.286888 172.17.253.87:22 -> 14.23.168.98:17109
TCP TTL:64 TOS:0x10 ID:55695 IpLen:20 DgmLen:360 DF
***AP*** Seq: 0x7DC4D671  Ack: 0xA660DEE0  Win: 0x15D  TcpLen: 20
1D 6B EA B4 3A 7F 66 0A EF 62 FF 47 85 D6 F1 2D  .k..:.f..b.G...-
9C 35 14 A8 1E 38 DD 7C C0 DE 1E 44 A4 0C 1E 5E  .5...8.|...D...^
A7 BB E0 08 BF 75 BC BB EF 36 AE 37 C9 74 FE D6  .....u...6.7.t..
9C 94 74 86 FC C6 36 9C 17 4A 54 96 DE DF A7 81  ..t...6..JT.....
A9 64 7D 4F B6 0D 63 39 3E 3A 50 B6 8D EE 23 BC  .d}O..c9>:P...#.
58 2F 89 B9 99 D3 C7 FA D0 6C 0A 7B 5B 00 76 E0  X/.......l.{[.v.
11 D0 17 36 E6 A5 83 98 A0 31 EF C4 A8 BC 96 8C  ...6.....1......
EF DC 73 BE E3 B4 FE 00 F0 94 46 66 33 16 31 83  ..s.......Ff3.1.
0A E4 30 66 2C DE FA C9 D4 B7 D2 96 E4 34 10 CF  ..0f,........4..
94 8C 30 74 06 FB 20 DE 1E B4 CA 24 E6 A9 27 0F  ..0t.. ....$..'.
FA 46 04 BA 12 5C 7B 66 02 92 1A 3D A5 11 41 F2  .F...\{f...=..A.
03 90 7A 43 8C D1 EE F6 40 92 94 03 8A 5D EB F6  ..zC....@....]..
D9 1B FB 26 25 4C 1A D9 C2 40 CE C0 6B 19 1E 6B  ...&%L...@..k..k
5B E7 AE 83 9D 0F 3C C4 9C EE 2D 8A 8E 7E 5C B9  [.....<...-..~\.
35 F9 72 CD BC 16 21 8C 6E 32 05 28 4C ED 01 E3  5.r...!.n2.(L...
8F 8B 0D 77 36 8B 4F BE 46 B4 05 63 51 06 4F 7D  ...w6.O.F..cQ.O}
0C BD 3A 8A EC 7B A6 04 0A 4C 04 78 79 E8 CC 4B  ..:..{...L.xy..K
57 D0 D9 E1 16 1C 11 55 8E F7 C8 E8 D7 2E 2B 74  W......U......+t
AA C7 73 28 B2 8E C3 67 46 48 E5 9D 3D E4 9E 47  ..s(...gFH..=..G
AF 79 5F 2C C0 72 14 DE 80 87 5F A8 30 2A 4D 25  .y_,.r...._.0*M%

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

这指示Snort显示数据包数据以及报头。如果您想要更具有描述性的显示,显示数据链接层报头,请执行以下操作:

snort -vde
[root@metatron ~]# snort -vde
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.14.1 GRE (Build 15003)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=8279)
09/13-13:20:18.948422 00:16:3E:32:58:BC -> EE:FF:FF:FF:FF:FF type:0x800 len:0xE6
172.17.253.87:22 -> 14.23.168.98:17109 TCP TTL:64 TOS:0x10 ID:55830 IpLen:20 DgmLen:216 DF
***AP*** Seq: 0x7DC57CF1  Ack: 0xA6613340  Win: 0x15D  TcpLen: 20
D4 18 EE 1D B0 BC DF 67 F4 E2 26 27 9C 1B 91 7E  .......g..&'...~
EC 39 94 E1 93 13 78 BF 18 F5 ED 4F 42 A4 DE D5  .9....x....OB...
67 6B B0 D2 73 A1 36 B9 53 84 2E 05 E6 91 CC 27  gk..s.6.S......'
57 F2 6A D7 44 D5 77 D7 4F F4 B3 73 6F D6 CB FD  W.j.D.w.O..so...
74 2A 6E CB C9 D0 D0 14 FA A5 C3 81 72 47 F3 CA  t*n.........rG..
26 02 ED 37 B1 47 67 21 17 55 4A EF 0D 91 BD 3A  &..7.Gg!.UJ....:
41 EA C9 FE 1F 49 EC E6 93 79 6C 62 B0 08 09 E2  A....I...ylb....
46 CA F9 28 5F E5 C6 8D 08 48 13 BC FE CA C0 91  F..(_....H......
73 2E BF AD 99 E9 77 69 3D CD 27 6F E3 1A D7 4C  s.....wi=.'o...L
EC 13 7D 4D 52 56 F4 DC 54 8F 19 0D D5 8F FE A5  ..}MRV..T.......
B6 33 17 17 89 AC 08 8E C4 C3 9B A3 ED 21 0F 01  .3...........!..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WARNING: No preprocessors configured for policy 0.
09/13-13:20:19.037054 EE:FF:FF:FF:FF:FF -> 00:16:3E:32:58:BC type:0x800 len:0x3C
14.23.168.98:17109 -> 172.17.253.87:22 TCP TTL:48 TOS:0x14 ID:17703 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xA6613340  Ack: 0x7DC57DA1  Win: 0xFD  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

另外,请注意命令行开关可以单独列出,也可以组合形式列出。最后一个命令也可以键入如下:

snort -d -v -e

这将产生一样的结果。

「一键投喂 软糖/蛋糕/布丁/牛奶/冰阔乐!」

阿恒

(๑>ڡ<)☆谢谢老板~

使用微信扫描二维码完成支付

添加新留言
暂无留言