Snort mailing list archives
Re: sudden sensitive_data threshold exceeded alerts
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Tue, 12 Apr 2011 17:47:44 -0400
Hi Agus, The sensitive_data preprocessor generates and logs pseudo-packets when that "global threshold exceeded" alert is triggered. These pseudo-packets use IP proto 254. The IP addresses are copied from the packet that triggered the alert. This behavior is similar to the portscan preprocessor, which generates pseudo-packets with proto 255. The alert gets triggered when the sensitive_data preprocessor picks up on a combination of items that your other sensitive data rules (gid:138) were configured to look for. By default, this limit is 25 items. If you look at the payload of those pseudo-packets, you should see a message printed by the preprocessor that tells you how many of each item type were detected. Now, I am surprised that all of your listed packets are only 20 bytes long. That's just the size of an IP header. How did you configure your "output" line in snort.conf? -Ryan On Tue, Apr 12, 2011 at 4:35 PM, Jason Wallace <jason.r.wallace () gmail com> wrote:
I can't help you with your specific question, but did want to say (in cases you didn't know) that Snorby will show the payload if you have barnyard2 output database configured for "log" instead of "alert"... ex. output database: log, mysql, user=<someone> password=<something> dbname=<your db name> host=x.x.x.x thx, Wally On Tue, Apr 12, 2011 at 11:50 AM, Agus <agus.262 () gmail com> wrote:Hi guys, im getting a lot of this alerts since a couple of days. [139:1:1] sensitive_data: sensitive data global threshold exceeded [Classification: Senstive Data] [Priority: 2]: {PROTO:254} I use snorby, and it doesnt show any payload, so y checked with tcpdump the alert log and found it. 19:22:55.629576 IP (tos 0x0, ttl 114, id 27323, offset 0, flags [DF], proto: unknown (254), length: 20) 190.99.x.x > 172.31.201.9: ip-proto-254 0 0x0000: 0000 5e00 0101 001e be79 5ca6 0800 4500 ..^......y\...E. 0x0010: 0014 6abb 4000 72fe 048c be63 6518 ac1f ..j. () r ce... 0x0020: c909 .. 19:24:02.978690 IP (tos 0x0, ttl 114, id 28108, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 6dcc 4000 72fe 017b ac1f c909 be63 ..m.@.r..{.....c 0x0020: 6518 e. 19:27:47.949156 IP (tos 0x0, ttl 114, id 29386, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 72ca 4000 72fe fc7c ac1f c909 be63 ..r.@.r..|.....c 0x0020: 6518 e. 19:42:40.923410 IP (tos 0x0, ttl 106, id 1779, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 06f3 4000 6afe 4d23 ac1f c909 d8ae ....@.j.M#...... 0x0020: 6dfe m. 19:42:47.858569 IP (tos 0x0, ttl 106, id 1895, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0767 4000 6afe 4caf ac1f c909 d8ae ...g@.j.L....... 0x0020: 6dfe m. 19:42:53.321362 IP (tos 0x0, ttl 106, id 1942, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0796 4000 6afe 4c80 ac1f c909 d8ae ....@.j.L....... 0x0020: 6dfe 9:42:54.058349 IP (tos 0x0, ttl 64, id 14491, offset 0, flags [DF], proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9: ip-proto-254 0 0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E. 0x0010: 0014 389b 4000 40fe 457b d8ae 6dfe ac1f ..8.@.@.E{..m... 0x0020: c909 .. 19:43:19.570238 IP (tos 0x0, ttl 64, id 14522, offset 0, flags [DF], proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9: ip-proto-254 0 0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E. 0x0010: 0014 38ba 4000 40fe 455c d8ae 6dfe ac1f ..8.@.@.E\..m... 0x0020: c909 .. 19:44:55.440976 IP (tos 0x0, ttl 64, id 15039, offset 0, flags [DF], proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9: ip-proto-254 0 0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E. 0x0010: 0014 3abf 4000 40fe 4357 d8ae 6dfe ac1f ..:.@.@.CW..m... 0x0020: c909 .. 19:46:27.467767 IP (tos 0x0, ttl 106, id 4001, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0fa1 4000 6afe 4475 ac1f c909 d8ae ....@.j.Du...... 0x0020: 6dfe m. 19:46:27.852439 IP (tos 0x0, ttl 106, id 4065, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0fe1 4000 6afe 4435 ac1f c909 d8ae ....@.j.D5...... 0x0020: 6dfe m. 19:46:27.854024 IP (tos 0x0, ttl 105, id 4070, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0fe6 4000 69fe 4530 ac1f c909 d8ae ....@.i.E0...... 0x0020: 6dfe m. and goes on. THe priv IP is a reverse proxy. IP Protocol 254: This is a core Internet Protocol with a protocol number of 254. As per IANA specification, this protocol is reserved for Private/Experimental/Internal use. Any hints to invastigate this deeper is appreciated. I am now looking at the src in dynamyc_preprocesors/sdf but i have no clue what to look Cheers ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sudden sensitive_data threshold exceeded alerts Agus (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Jason Wallace (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Ryan Jordan (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Agus (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Ryan Jordan (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Jason Wallace (Apr 12)