Snort mailing list archives
False Alarm - still not solved
From: Holger Marzen <holger () marzen de>
Date: Wed, 14 May 2003 11:29:22 +0200 (CEST)
Hi all, I still get false alarms: Traffic that should be ignored with pass rules but is *sometimes* catched by rules like log tcp any any <> any any (msg: "forbidden tcp traffic"; logto: "important.log";) I use snort 2.0 on a Linux machine with kernel 2.2.16 and only 32MB RAM. It worked perfectly with snort 1.6. I upgraded to snort 2.0 because of security reasons. snort ist started as: |/usr/local/bin/snort -dev -A full -D \ | -i eth1 \ | -l /var/log/snort \ | -c /etc/snort/snort.conf -o |/sbin/ifconfig eth1 promisc I had to add "/sbin/ifconfig eth1 promisc" because snort always puts the interface in promisc mode and then instantly changes it back: |May 14 11:18:52 i201803 kernel: device eth1 entered promiscuous mode |May 14 11:18:52 i201803 snort: OpenPcap() device eth1 network lookup: ^Ieth1: no IPv4 address assigned |May 14 11:18:52 i201803 snort: Initializing daemon mode |May 14 11:18:52 i201803 kernel: device eth1 left promiscuous mode |May 14 11:18:52 i201803 snort: PID path stat checked out ok, PID path set to /var/run/ |May 14 11:18:52 i201803 snort: Writing PID "26333" to file "/var/run//snort_eth1.pid" |May 14 11:18:52 i201803 snort: [*] Frag2 config: |May 14 11:18:52 i201803 snort: Fragment timeout: 60 seconds |May 14 11:18:52 i201803 snort: Fragment memory cap: 1000000 bytes |May 14 11:18:52 i201803 snort: Fragment min_ttl: 0 |May 14 11:18:52 i201803 snort: Fragment ttl_limit: 5 |May 14 11:18:52 i201803 snort: Fragment Problems: 0 |May 14 11:18:52 i201803 snort: State Protection: 0 |May 14 11:18:52 i201803 snort: Self preservation threshold: 500 |May 14 11:18:52 i201803 snort: Self preservation period: 90 |May 14 11:18:52 i201803 snort: Suspend threshold: 1000 |May 14 11:18:52 i201803 snort: Suspend period: 30 |May 14 11:18:52 i201803 snort: Snort initialization completed successfully But that's no problem. A problem are the few packets that are detected although there is a pass rule. It makes no difference if "-o" is used or not. And it makes no difference if I use a separate NIC (eth1) or use eth0. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] forbidden tcp traffic [**] 05/14-10:43:20.176076 0:6:29:50:F1:82 -> 0:1:96:DB:23:A0 type:0x800 len:0xC3 212.18.198.106:80 -> 172.178.246.129:1984 TCP TTL:128 TOS:0x0 ID:19126 IpLen:20 DgmLen:181 DF ***AP*** Seq: 0x114D04D2 Ack: 0x51F8E0 Win: 0x2180 TcpLen: 20 B9 72 FB 6B A0 28 95 FA 1E DC 5A 7D 10 F5 31 14 .r.k.(....Z}..1. 14 3C 40 3F 79 D3 40 4B 71 B4 F1 76 FB 51 7F E6 .<@?y.@Kq..v.Q.. D2 53 4F DB AC FE C8 F6 A4 7F 6B F2 D1 17 FE 6D .SO.......k....m 2C 52 47 84 4F 53 EE 33 91 E1 55 51 FE 27 4C 24 ,RG.OS.3..UQ.'L$ 57 12 03 53 ED 97 07 C4 90 0A FD BC 88 D4 4D 10 W..S..........M. 17 14 8E 83 91 AB F9 A8 03 EE 3A 89 A2 9B 6A B2 ..........:...j. E0 71 FC 44 7F C2 0F F8 E9 60 A5 8A 4D 96 1A FA .q.D.....`..M... 9D FF 00 FA 17 FE 6D 4B 05 03 54 32 B6 BC B7 76 ......mK..T2...v F8 7A 57 FE 6D 49 25 7F 4D 45 7F FF D9 .zW.mI%.ME... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ That is traffic that is allowed with: |var WEB 212.18.198.106/32 |pass tcp any any <> $WEB 80 [...] |log tcp any any <> any any (msg: "forbidden tcp traffic"; logto: "important.log";) The last line should catch it never, but it does sometimes. I noticed that the false alarms (only few per day) always have a local (ephemeral) port of one of these that is used in other pass-rules as an destination port. Is that a bug in snort? Maybe because of low memory (32MB)? To tune snort for low memory I use: |config detection: search-method lowmem |preprocessor frag2: memcap 1000000 |preprocessor stream4: memcap 1000000, disable_evasion_alerts |preprocessor stream4_reassemble What can I do? -- PGP/GPG Key-ID: http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1 ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False Alarm - still not solved Holger Marzen (May 14)