Snort mailing list archives
Some alerts look like aggregated TCP sessions...
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 28 Aug 2002 12:46:56 +1200
I've noticed a certain class of false positives for some time, but have just realised what was wrong with them. I'm getting "buffer overflow" class alerts that actually look like they are several packets in one! e.g. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flags:A+; dsize:>100; content:"USER "; nocase; reference:bugtraq,4638; classtype:attempted-admin; sid:1734; rev:4;) ..and a *packet* (as logged in the MySQL DB - not seen live) that triggers it... USER myname..PASS xxyy11..PWD..CWD /pub..PWD..CWD incoming..TYPE I..PORT 10,0,1,2 Now: everywhere there's a ".." is just the SQL ints way of expressing "CRLF" pairs, but from my reckoning of how FTP works, the above log is actually 8 separate packets - not one! Also I note that there's no reply traffic in there - just the sent traffic... Any ideas? Either snort is doing something weird, or someone's running some form of streamed FTP client that pipelines several commands into one packet..? Snort-1.8.7 under RH Linux, with following options: preprocessor frag2 preprocessor stream4: disable_evasion_alerts, detect_scans, timeout 30, memcap 8388608 ttl_limit 0 preprocessor stream4_reassemble: noalerts, both, ports 21 23 25 53 80 3128 143 110 111 513 preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Some alerts look like aggregated TCP sessions... Jason Haar (Aug 27)
- Re: Some alerts look like aggregated TCP sessions... Chris Green (Aug 27)
- Re: Some alerts look like aggregated TCP sessions... Erek Adams (Aug 27)