Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not seeing traffic #8

Closed
DigiAngel opened this issue Dec 15, 2015 · 8 comments
Closed

Not seeing traffic #8

DigiAngel opened this issue Dec 15, 2015 · 8 comments

Comments

@DigiAngel
Copy link

So I have a machine that listens to several netblocks. I am wanting to listen to just the external traffic. This external traffic only has routable IP addresses, we don't see any internal only (10.0.0.0/8, 192.168.0.0/24 for example) traffic. This traffic is on eth2:

MONITOR_INTERFACE eth2

This interface is in promiscuous mode:

eth2      Link encap:Ethernet  HWaddr 00:00:00:00:00:01
          UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1

I do not see any events on this interface, even though I do see hits from say, bro-ids:

139.196.104.39  58928   x.x.x.x       443     -       -       -       139.196.104.39  Intel::ADDR     Conn::IN_ORIG   bro     alienvault

If I set maltrail to any, I see hits, but only internal. Is there something I can do to troubleshoot this? Thaank you.
@stamparm
Copy link
Owner

  1. Please turn on SHOW_DEBUG true in maltrail.conf. Then rerun the sensor.py. Please tell if some errors occur
  2. Can you please tcpdump some traffic on eth2 and send it to miroslav@sqlmap.org? Maybe there is some encapsulation going on. Have to check it in raw tcpdump
  3. You could try python -m SimpleHTTPServer 8000 and visit the http://xxx.yyy.zzz.www:8000/?id=SELECT%20foobar%20FROM%20users%20WHERE%201%20LIKE%201, where xxx.yyy.zzz.www is the ip address of interface eth2 (if there is none, you could temporary assign the address to it). Request to that link should trigger the suspicious http request.

@DigiAngel
Copy link
Author

I'll give your suggestions a try and report here thank you.

@DigiAngel
Copy link
Author

Pcap emailed...not seeing any errors in the sensor debug. Thank you.

@stamparm
Copy link
Owner

@DigiAngel I've spotted the problem. CISCO VLAN tagging included. I have to deal with it and do the proper patch. Will let you know

@DigiAngel
Copy link
Author

Awesome...thank you!

stamparm added a commit that referenced this issue Dec 16, 2015
@stamparm
Probable fix for #8
5955554
@stamparm
Copy link
Owner

@DigiAngel with the latest patch you'll probably be able to do the capture on that interface. In case of further problems, please let me know

@DigiAngel
Copy link
Author

Thanks I will give it a try in the morning.

@DigiAngel
Copy link
Author

This is working now...thanks so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stamparm @DigiAngel