Snort mailing list archives
snort-2.8.2.1 and udp alerts
From: Alex <linux () vfemail net>
Date: Tue, 24 Jun 2008 16:45:20 +0300
hello snort experts, I am using snort-2.8.2.1 compiled with mysql support. Currently, snort it logs and produce UDP alerts even it seems that UDP support is disabled in config file. Starting snort, i can see in terminal: [root@ltm ~]# snort -c /etc/snort/snort.conf ... Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 8192 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: INACTIVE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Track ICMP sessions: INACTIVE ... Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 ... In snort.conf i can see only 2 lines related to UDP: preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no so here, no doubt that UDP is DISABLED and preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } If UDP support is disabled in snort.conf, which line match and produce the following UDP alerts? I'm not convinced that preprocessor sfportscan will generate it. Can anybody give me a hint? MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052 255.255.255.255:1434 UDP or MISC UPnP malformed advertisement 2008-06-23 16:21:10 169.254.209.225:1900 239.255.255.250:1900 UDP below, comes my entire snort.conf file: var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules var PREPROC_RULE_PATH ../preproc_rules dynamicpreprocessor directory /usr/lib/snort-2.8.2.1_dynamicpreprocessor/ dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow preprocessor ssl: noinspect_encrypted output database: log, mysql, user=snort password=password dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules Regards, Alx ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-2.8.2.1 and udp alerts Alex (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 26)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)