Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 1.8.6 problem: Misdetection and hangup

From: Chris Green <cmg () sourcefire com>
Date: Tue, 04 Jun 2002 10:29:40 -0400
Jesus Couto <jesus.couto () satec es> writes:


Hi,

This is the setup: A RH 7.2 machine running snort 1.8.6, 2 interfaces,
the one we are listening to eth1 connected to a hub with another 2
machines, 192.168.100.1 (the "attacker") and 192.168.100.3 (the
"victim").

Problem: Launching some simple portscanning attacks like

    nmap -sT -p 1-40000 -r 192.168.100.3

from the attacker machine gets reported as "MISC source route lssr" by
snort in IDS mode, and after reporting the first 3000-4000 events,
snort hangs completly.


Hrm odd.  Using 1.8.7-current

06/04-10:26:16.307146  [**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2] {ICMP}
10.1.1.52 -> 10.1.1.72

06/04-10:26:16.627530  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 10.1.1.52 (THRESHOLD 4 connections exceeded 
in 0 seconds) [**] 
06/04-10:26:16.712279  [**] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] 
[Priority: 2] {TCP} 10.1.1.52:57906 -> 10.1.1.72:1080
06/04-10:26:17.409593  [**] [1:620:2] SCAN Proxy (8080) attempt [**] [Classification: Attempted Information Leak] 
[Priority: 2] {TCP} 10.1.1.52:64906 -> 10.1.1.72:8080
06/04-10:26:18.567241  [**] [1:249:1] DDOS mstream client to handler [**] [Classification: Attempted Denial of Service] 
[Priority: 2] {TCP} 10.1.1.52:55573 -> 10.1.1.72:15104
06/04-10:26:20.158005  [**] [100:2:1] spp_portscan: portscan status from 10.1.1.52: 4808 connections across 1 hosts: 
TCP(4808), UDP(0) [**] 


Not only the packets dont have the lssr option anywhere, as checked by
using Ethereal, but snort in sniffer mode also shows them to be
without options, and the logging of the packets by snort at the ACID
console shows the packet having a few other options (TS) but nothing
about source routing.

Any ideas? If more info is needed to debug it just tell me what you
need.


Send me a pcap of this scan happening if you would please if snort
hangs up again.  .... Mostly ok here...



-- 
Chris Green <cmg () sourcefire com>
To err is human, to moo bovine.

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: