Snort mailing list archives
Re: Linux and packet loss
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 02 Aug 2001 18:22:51 -0400
Try removing that dsize option from the rule and see if it makes a
difference....
-Marty
Jason Haar wrote:
On Thu, Aug 02, 2001 at 10:27:42AM +0100, Matthew Collins wrote:I've found out what was going on here. All our inbound traffic comes through a reverse proxy server. The IDS only logs the Internet to Firewall traffic, and the reverse proxy is behind the firewall.That doesn't apply to the problem I'm seeing :-( I can see 36 occurances of "GET /def...." in my Apache logs now, and snort has picked up 4 of them. The last one snort picked up was: Aug 2 22:47:13 pluto snort: [1:1243:1] WEB-IIS ISAPI .XXX attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 10]: <eth0> {TCP} 203.247.199.10:3044 -> 203.167.239.195:80 Apache logs 13 such attempts after that... I just manually telneted to port 80 on our web server and typed in that appropriate string - snort logged it immediately (yes, snort is logging attempts from both our LAN and the Internet). The rule is: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .XXX attempt"; uricontent:".XXX?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:attempted-admin; reference:cve,CAN-2000-0071; sid:1243; rev:1;) And all of the Apache logfile entries show the likes of: GET /default.XXX?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\ NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\ NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\ NNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3\ %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a\ HTTP/1.0" 404 295 "-" "-" "-" "-" "-" "-" "-" (I've replaced you-know-what with XXX) Could this be a problem with stream4_reassemble or the defragger module? Could some mistake there be throwing off the alerts? I'm still seeing the odd Code Red packet coming through. I'll run up tcpdump on the same host as snort and see if it catches anything snort doesn't. -- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss), (continued)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Steve Williams (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Jason Haar (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Martin Roesch (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Phil Wood (Aug 02)
- ACID and MySQL questions Jason Lewis (Aug 02)
- Re: ACID and MySQL questions meling (Aug 03)