Snort mailing list archives
phantom portscans with stream4_reassemble
From: Tony Lill <ajlill () ajlc waterloo on ca>
Date: Fri, 13 Jul 2001 17:45:38 EDT
I've been running snort Version 1.8-RELEASE (Build 43) from CVS for the past couple of days, and when I enable stream4_reassemble, after snort has been running for 2-20 hours, it starts spewing out stealth portscan reports on all established tcp connections. These all show the same random collection of tcp flags being set (a different set every time I kill snort and restart it). Checking with tcpdump shows no traffic with that particular set of flags. The other annoying thing is that it reports on sites listed in portscan-ignorehosts, which means I get a LOT of alerts. I'm compiling on RedHat 6.2 and running on RedHat 7.0 and 7.1 I'm running snort like so: /usr/local/bin/snort -ops -c /usr/local/etc/vision.conf -F /usr/local/etc/snort.filter -i eth1 Following is the (cleaned up) snort.conf preprocessor stream4: noalerts preprocessor stream4_reassemble preprocessor http_decode: -unicode -cginull 80 3128 8080 preprocessor frag2 preprocessor portscan: $HOME_NET 5 8 /var/log/portscan preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan-ignorehosts: $FRIENDLIES include /usr/local/etc/snort/classification.config include /usr/local/etc/snort/exploit.rules ... var SPADEDIR /var/log/spade preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000 preprocessor spade-homenet: $HOME_NET preprocessor spade-adapt3: 0.01 60 168 preprocessor spade-survey: $SPADEDIR/survey.txt 60 preprocessor spade-stats: entropy uncondprob condprob -- Tony Lill, Tony.Lill () AJLC Waterloo ON CA President, A. J. Lill Consultants fax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --------------- http://www.ajlc.waterloo.on.ca/ ---------------- "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!" _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- phantom portscans with stream4_reassemble Tony Lill (Jul 13)