Re: Linux and packet loss

["Matthew Collins" <Matthew.Collins () northernregistrars co uk>]

I've found out what was going on here. All our inbound traffic comes through a reverse proxy server. The IDS only logs 
the Internet to Firewall traffic, and the reverse proxy is behind the firewall.

The proxy server appears to be making multiple requests, to attempt to keep it's cache up to date. So a code red 
infected machine will do the default.ida?NNN trick (which snort will log). The proxy server will notice the reply from 
the web server, and then once every two minutes, will attempt the same request itself. Snort will not log this, because 
the proxy server is behind the firewall.
I got logging switched on, on the reverse proxy, and these logs match up to the snort logs.
Confused the hell out of me, but at least I know snort is logging everything.

> > > Chris Green <cmg () uab edu> 01/08/01 18:05:20 >>>
"Matthew Collins" <Matthew.Collins () northernregistrars co uk> writes:

> I've got snort 1.7 running on a Linux 2.2.19 (Debian) system.
>
> The code red worm is starting to get going now, and I've noticed an
> oddity. I've got one alert for .ida attempt in my snort log

What logging method are you using and how close together were the
attacks? Was snort running at the time?  

What is your IDA rule?  I've swear I've seen the packets get
fragmented right at the default.ida break and one rule checking for
'ida?' wouldn't work unless you were using a stream reassembly.

Lots of possibilities here. You might be running into old bugs in 1.7
but I don't know.
-- 
Chris Green <cmg () uab edu>
Laugh and the world laughs with you, snore and you sleep alone.



****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain 
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users