Snort mailing list archives

Previous By Date Next
Previous By Thread Next

phantom portscans with stream4_reassemble

From: Tony Lill <ajlill () ajlc waterloo on ca>
Date: Fri, 13 Jul 2001 17:45:38 EDT
I've been running snort Version 1.8-RELEASE (Build 43) from CVS for
the past couple of days, and when I enable stream4_reassemble, after
snort has been running for 2-20 hours, it starts spewing out stealth
portscan reports on all established tcp connections. These all show
the same random collection of tcp flags being set (a different set
every time I kill snort and restart it). Checking with tcpdump shows
no traffic with that particular set of flags.

The other annoying thing is that it reports on sites listed in
portscan-ignorehosts, which means I get a LOT of alerts. I'm compiling
on RedHat 6.2 and running on RedHat 7.0 and 7.1

I'm running snort like so:
/usr/local/bin/snort -ops -c /usr/local/etc/vision.conf -F /usr/local/etc/snort.filter -i eth1

Following is the (cleaned up) snort.conf

preprocessor stream4: noalerts
preprocessor stream4_reassemble

preprocessor http_decode: -unicode -cginull 80 3128 8080
preprocessor frag2
preprocessor portscan: $HOME_NET 5 8 /var/log/portscan
preprocessor rpc_decode: 111 32771 
preprocessor bo: -nobrute
preprocessor telnet_decode

preprocessor portscan-ignorehosts: $FRIENDLIES

include /usr/local/etc/snort/classification.config

include /usr/local/etc/snort/exploit.rules
...

var SPADEDIR /var/log/spade
preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
preprocessor spade-homenet: $HOME_NET
preprocessor spade-adapt3: 0.01 60 168
preprocessor spade-survey:  $SPADEDIR/survey.txt 60
preprocessor spade-stats: entropy uncondprob condprob
--
Tony Lill,                         Tony.Lill () AJLC Waterloo ON CA
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: