Snort mailing list archives
Re: sudden sensitive_data threshold exceeded alerts
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 12 Apr 2011 16:35:25 -0400
I can't help you with your specific question, but did want to say (in cases you didn't know) that Snorby will show the payload if you have barnyard2 output database configured for "log" instead of "alert"... ex. output database: log, mysql, user=<someone> password=<something> dbname=<your db name> host=x.x.x.x thx, Wally On Tue, Apr 12, 2011 at 11:50 AM, Agus <agus.262 () gmail com> wrote:
Hi guys,
im getting a lot of this alerts since a couple of days.
[139:1:1] sensitive_data: sensitive data global threshold exceeded
[Classification: Senstive Data] [Priority: 2]: {PROTO:254}
I use snorby, and it doesnt show any payload, so y checked with
tcpdump the alert log and found it.
19:22:55.629576 IP (tos 0x0, ttl 114, id 27323, offset 0, flags [DF],
proto: unknown (254), length: 20) 190.99.x.x > 172.31.201.9:
ip-proto-254 0
0x0000: 0000 5e00 0101 001e be79 5ca6 0800 4500 ..^......y\...E.
0x0010: 0014 6abb 4000 72fe 048c be63 6518 ac1f ..j. () r ce...
0x0020: c909 ..
19:24:02.978690 IP (tos 0x0, ttl 114, id 28108, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 6dcc 4000 72fe 017b ac1f c909 be63 ..m.@.r..{.....c
0x0020: 6518 e.
19:27:47.949156 IP (tos 0x0, ttl 114, id 29386, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 72ca 4000 72fe fc7c ac1f c909 be63 ..r.@.r..|.....c
0x0020: 6518 e.
19:42:40.923410 IP (tos 0x0, ttl 106, id 1779, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 06f3 4000 6afe 4d23 ac1f c909 d8ae ....@.j.M#......
0x0020: 6dfe m.
19:42:47.858569 IP (tos 0x0, ttl 106, id 1895, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0767 4000 6afe 4caf ac1f c909 d8ae ...g@.j.L.......
0x0020: 6dfe m.
19:42:53.321362 IP (tos 0x0, ttl 106, id 1942, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0796 4000 6afe 4c80 ac1f c909 d8ae ....@.j.L.......
0x0020: 6dfe
9:42:54.058349 IP (tos 0x0, ttl 64, id 14491, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E.
0x0010: 0014 389b 4000 40fe 457b d8ae 6dfe ac1f ..8.@.@.E{..m...
0x0020: c909 ..
19:43:19.570238 IP (tos 0x0, ttl 64, id 14522, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E.
0x0010: 0014 38ba 4000 40fe 455c d8ae 6dfe ac1f ..8.@.@.E\..m...
0x0020: c909 ..
19:44:55.440976 IP (tos 0x0, ttl 64, id 15039, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E.
0x0010: 0014 3abf 4000 40fe 4357 d8ae 6dfe ac1f ..:.@.@.CW..m...
0x0020: c909 ..
19:46:27.467767 IP (tos 0x0, ttl 106, id 4001, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0fa1 4000 6afe 4475 ac1f c909 d8ae ....@.j.Du......
0x0020: 6dfe m.
19:46:27.852439 IP (tos 0x0, ttl 106, id 4065, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0fe1 4000 6afe 4435 ac1f c909 d8ae ....@.j.D5......
0x0020: 6dfe m.
19:46:27.854024 IP (tos 0x0, ttl 105, id 4070, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0fe6 4000 69fe 4530 ac1f c909 d8ae ....@.i.E0......
0x0020: 6dfe m.
and goes on. THe priv IP is a reverse proxy.
IP Protocol 254: This is a core Internet Protocol with a protocol
number of 254. As per IANA specification, this protocol is reserved
for Private/Experimental/Internal use.
Any hints to invastigate this deeper is appreciated. I am now looking
at the src in dynamyc_preprocesors/sdf but i have no clue what to look
Cheers
------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sudden sensitive_data threshold exceeded alerts Agus (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Jason Wallace (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Ryan Jordan (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Agus (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Ryan Jordan (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Jason Wallace (Apr 12)