Snort mailing list archives
Re: alert suppression
From: CunningPike <cunningpike () gmail com>
Date: Wed, 06 May 2009 16:11:43 -0700
We get some of these alerts too, but only from a specific segment on our LAN, so I'm currently trying to hunt down the reason. The fact that we don't get them from any other segment leads me to think that they are indicative of something rather than simple noise. If I find out anything, I'll post it to the list CP On Wed, 2009-05-06 at 15:38 -0600, Jefferson, Shawn wrote:
Further to this, I was able to figure out that the dcdrpc2 preprocessor seems to be causing these tagged packet alerts. Specifically one example is: Sig 34: Dcerpc2: Connection-oriented DCE/RPC – Fragment length on last fragment less than maximum negotiated fragment transmit size for client. Searching on the IP address in the tagged packet, like Greg suggested and then sorting them by timestamp shows that this alert and a couple of tagged packets all have the same src/dst IP and port and timestamp in BASE. Now I know what they are, I don’t want to get rid of them from showing up in BASE. ;) Thanks, Shawn ______________________________________________________________________ From:Greg Bowser [mailto:topnotcher () gmail com] Sent: May 06, 2009 1:49 PM To: Jefferson, Shawn Cc: Joel Esler; snort-users () lists sourceforge net Subject: Re: [Snort-users] alert suppressionYes I am running some of the emerging-threats rules, and grepping for“tag:” shows quite a few rules that use it.Is there no way to determine which rule is generating the “tag:tagged packet” alert? What is it for exactly? Somtimes, it is nice to see the packets that follow the packet that triggered an alert. (i.e. the response). The tag keyword accomplishes this. Any of the rules you found that have the "tag" keyword will tag packets. (exactly which packets and how many is specified in the rule) If you look at the traffic with the same src/dst ip pair (in either order) before the tagged packets, you should see the rule that started the tagging. -- Greg ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert suppression Jefferson, Shawn (May 05)
- Re: alert suppression Joel Esler (May 05)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression Joel Esler (May 06)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression Greg Bowser (May 06)
- Re: alert suppression Joel Esler (May 06)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression CunningPike (May 06)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression Joel Esler (May 05)
- <Possible follow-ups>
- Re: alert suppression Pedro Marinho (May 07)