Snort mailing list archives
false alarm with snort 2.0, why?
From: Holger Marzen <holger () marzen de>
Date: Mon, 28 Apr 2003 20:31:41 +0200 (CEST)
Snort 2.0 on Linux 2.2.16 ------------------------- I defined "regular" traffic with pass rules. Every other traffic goes to a logfile. That worked perfectly with snort 1.6. Now I upgraded to snort 2.0 and onye or twice a day "regular" traffic is detected as bad traffic. The http_decode preprocessor should't harm. |var IDS 200.1.1.107/32 <- the machine running snort |var MAIL 200.1.1.115/32 |var OTHERMACHINE 200.1.1.122/32 |preprocessor http_decode: 80 8080 |pass tcp $IDS any <> $MAIL 1984 |pass tcp $OTHERMACHINE any <> $MAIL 1984 Usually the traffic "$IDS any <> $MAIL 1984" is ignored/passed. But sometimes I have log entries, although ther should be none. Maybe because port 3306 ist the same like MySQL's default port? Maybe because it's the machine running snort that produces the traffic? $OTHERMACHINE's traffic is ignored correctly in the pass rules. Any ideas? |04/28-02:16:40.504494 0:1:96:DB:25:C0 -> 0:6:29:8F:21:27 type:0x800 len:0x4A |200.1.1.115:1984 -> 200.1.1.107:3306 TCP TTL:63 TOS:0x0 ID:34326 IpLen:20 DgmLen:60 |DF |***A**S* Seq: 0xB595C3E Ack: 0x1F694F88 Win: 0x7D78 TcpLen: 40 |TCP Options (5) => MSS: 1460 SackOK TS: 50603162 50754946 NOP |TCP Options => WS: 0 | |=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | |04/28-02:16:40.508592 0:1:96:DB:25:C0 -> 0:6:29:8F:21:27 type:0x800 len:0x42 |200.1.1.115:1984 -> 200.1.1.107:3306 TCP TTL:63 TOS:0x0 ID:34327 IpLen:20 DgmLen:52 |DF |***A**** Seq: 0xB595C3F Ack: 0x1F695071 Win: 0x7C8F TcpLen: 32 |TCP Options (3) => NOP NOP TS: 50603162 50754947 | |=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | |04/28-02:16:40.511261 0:1:96:DB:25:C0 -> 0:6:29:8F:21:27 type:0x800 len:0x42 |200.1.1.115:1984 -> 200.1.1.107:3306 TCP TTL:63 TOS:0x0 ID:34328 IpLen:20 DgmLen:52 |DF |***A**** Seq: 0xB595C3F Ack: 0x1F695072 Win: 0x7D78 TcpLen: 32 |TCP Options (3) => NOP NOP TS: 50603163 50754947 | |=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | |04/28-02:16:40.512135 0:1:96:DB:25:C0 -> 0:6:29:8F:21:27 type:0x800 len:0x42 |200.1.1.115:1984 -> 200.1.1.107:3306 TCP TTL:63 TOS:0x0 ID:34329 IpLen:20 DgmLen:52 |DF |***A***F Seq: 0xB595C3F Ack: 0x1F695072 Win: 0x7D78 TcpLen: 32 |TCP Options (3) => NOP NOP TS: 50603163 50754947 | -- PGP/GPG Key-ID: http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- false alarm with snort 2.0, why? Holger Marzen (Apr 28)
- <Possible follow-ups>
- Re: false alarm with snort 2.0, why? Matt Kettler (Apr 28)
- Re: false alarm with snort 2.0, why? Holger Marzen (Apr 29)