Snort mailing list archives
Re: Some alerts look like aggregated TCP sessions...
From: Chris Green <cmg () sourcefire com>
Date: Tue, 27 Aug 2002 21:20:52 -0400
Jason Haar <Jason.Haar () trimble co nz> writes:
I've noticed a certain class of false positives for some time, but have just realised what was wrong with them. I'm getting "buffer overflow" class alerts that actually look like they are several packets in one!
This is a stream of packets and an artifact of how stream reassembly is done.
e.g. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flags:A+; dsize:>100; content:"USER "; nocase; reference:bugtraq,4638; classtype:attempted-admin; sid:1734; rev:4;)
This has been changed in the 1.9 series. Now, a dsize check implicitly means it refers to a REAL packet matching this size.
..and a *packet* (as logged in the MySQL DB - not seen live) that triggers it... USER myname..PASS xxyy11..PWD..CWD /pub..PWD..CWD incoming..TYPE I..PORT 10,0,1,2 Now: everywhere there's a ".." is just the SQL ints way of expressing "CRLF" pairs, but from my reckoning of how FTP works, the above log is actually 8 separate packets - not one! Also I note that there's no reply traffic in there - just the sent traffic... Any ideas? Either snort is doing something weird, or someone's running some form of streamed FTP client that pipelines several commands into one packet..?
Thats the snort stream reassembler. If you are logging to pcap, it will also log the REAL packets to the log.tcpdump Cheers, Chris -- Chris Green <cmg () sourcefire com> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Some alerts look like aggregated TCP sessions... Jason Haar (Aug 27)
- Re: Some alerts look like aggregated TCP sessions... Chris Green (Aug 27)
- Re: Some alerts look like aggregated TCP sessions... Erek Adams (Aug 27)