Snort mailing list archives
UPDATE: RE: Packet weirdness
From: tyler () ibill com
Date: Thu, 7 Feb 2002 10:24:56 -0500
Here's a packet capture.. and the packet that it got combined with was my reply to the mailing list :-D Anyhow, this traffic had a source IP that was NOT my workstation or the mail server, and a dest IP of 216.10.102.235:80 .... Weird.. Anyhow, I'll try the upgrade.. tf. 2A 02 60 62 00 12 00 01 00 17 00 00 00 00 00 17 *.`b............ 00 01 00 03 00 18 00 01 2A 02 60 63 00 0A 00 01 ........*.`c.... 00 06 00 00 00 00 00 06 2A 02 60 64 00 14 00 01 ........*.`d.... 00 08 00 00 00 00 00 08 00 01 00 02 00 03 00 04 ................ 00 05 2A 02 60 65 00 2C 00 18 00 06 00 00 00 00 ..*.`e.,........ 00 06 00 02 92 69 D8 1C A6 A2 11 D3 AE E2 E2 48 .....i.........H 9E 91 D6 E7 5D 5E 17 08 55 AA 11 D3 B1 43 00 60 ....]^..U....C.` B0 FB 1E CB 2A 02 60 66 00 1A 00 01 00 02 00 00 ....*.`f........ 00 00 00 02 00 01 00 03 00 10 04 7B 00 18 00 01 ...........{.... 00 10 04 7B 35 B5 C8 B4 AC C6 72 06 53 32 E8 F0 ...{5.....r.S2.. E6 DD DB 45 E1 A2 88 95 D3 11 D3 9F D4 62 21 68 ...E.........b!h 4E 31 04 AE 8A EF 5F 3A AA C3 9A 0F 5A 95 34 63 N1...._:....Z.4c E6 93 83 F3 11 D3 A3 F6 15 38 11 33 0F 97 16 DC .........8.3.... 3B 18 86 C6 8D 0A 1B AC A4 C7 6F 88 42 A8 B9 0F ;.........o.B... 7A FD DE 16 94 DF F8 C4 CF 64 0E 7C E6 B0 B9 1D z........d.|.... 90 B0 48 D2 E0 89 9A E7 5F 9F 79 36 98 08 F9 52 ..H....._.y6...R 25 CB 34 6B 95 26 56 17 EC 0B 15 2A 02 0E 7E 44 %.4k.&V....*..~D 33 E6 E5 6D BF 7B 8A ED 21 96 CB 83 B3 00 17 44 3..m.{..!......D 3D E2 04 74 B6 35 86 88 2F 9D F3 FC 8D 58 47 55 =..t.5../....XGU 2E 60 2F BE 9F 1E 3B 6A 5B 17 12 CD FF DD 30 0D .`/...;j[.....0 55 42 03 36 71 D8 2C 52 E0 BD 34 9D 17 4F E3 28 UB.6q.,R..4..O.( AB FF 2C 05 00 74 38 A8 A6 FC A9 99 30 7D 7E 1D ..,..t8.....0}~. DB 8A 0F C2 32 43 D7 EC 1C 92 D6 99 97 E4 D1 3B ....2C.........; 5C 49 71 2B 0D 40 BE BB 63 20 8C 11 23 5D 72 E5 \Iq+@..c ..#]r. 31 A4 80 6D D0 29 80 00 74 2D 75 73 65 72 73 40 1..m.)..t-users@ 6C 69 73 74 73 2E 73 6F 75 72 63 65 66 6F 72 67 lists.sourceforg 65 2E 6E 65 74 0D 0A 53 75 62 6A 65 63 74 3A 20 e.net.Subject: 52 65 3A 20 5B 53 6E 6F 72 74 2D 75 73 65 72 73 Re: [Snort-users 5D 20 50 61 63 6B 65 74 20 77 65 69 72 64 6E 65 ] Packet weirdne 73 73 0D 0A 0D 0A 0D 0A 74 79 6C 65 72 40 69 62 ss...tyler@ib 69 6C 6C 2E 63 6F 6D 20 77 72 69 74 65 73 3A 0D ill.com writes: 0A 0D 0A 3E 20 47 61 6E 67 2C 0D 0A 3E 0D 0A 3E ..> Gang,.>.> 20 48 65 72 65 27 73 20 6D 79 20 73 63 65 6E 61 Here's my scena 72 69 6F 2E 2E 20 20 49 20 68 61 76 65 20 61 20 rio.. I have a 62 6F 78 20 74 68 61 74 20 69 73 20 73 65 74 75 box that is setu 70 20 72 75 6E 6E 69 6E 67 20 61 70 61 63 68 65 p running apache 20 61 6E 64 20 73 6E 6F 72 74 0D 0A 3E 20 77 69 and snort.> wi 74 68 20 64 65 6D 61 72 63 2E 20 20 57 6F 72 6B th demarc. Work 73 20 67 72 65 61 74 2E 20 20 49 27 76 65 20 61 s great. I've a 6C 73 6F 20 74 75 72 6E 65 64 20 6F 6E 20 50 72 lso turned on Pr 6F 78 79 69 6E 67 20 69 6E 20 61 70 61 63 68 65 oxying in apache 20 61 6E 64 20 70 75 74 0D 0A 61 0D 0A 3E 20 70 and put.a.> p 61 73 73 20 72 75 6C 65 20 69 6E 20 66 6F 72 20 ass rule in for 74 72 61 66 66 69 63 20 66 72 6F 6D 20 74 68 61 traffic from tha 74 20 62 6F 78 20 5B 73 6F 20 77 65 20 63 61 6E t box [so we can 20 61 6C 6C 6F 77 20 63 65 72 74 61 69 6E 20 75 allow certain u 73 65 72 73 0D 0A 61 63 63 65 73 73 0D 0A 3E 20 sers.access.> 74 6F 20 41 49 4D 20 74 68 72 6F 75 67 68 20 74 to AIM through t 68 65 20 70 72 6F 78 79 2C 20 62 75 74 20 61 6C he proxy, but al 65 72 74 20 6F 6E 20 75 6E 61 75 74 68 20 75 73 ert on unauth us 65 72 73 5D 2E 20 20 54 68 69 73 20 73 65 74 75 ers]. This setu 70 20 73 68 6F 75 6C 64 0D 0A 3E 20 77 6F 72 6B p should.> work 20 66 69 6E 65 20 49 20 77 6F 75 6C 64 20 74 68 fine I would th 69 6E 6B 2E 20 45 76 65 72 79 20 6E 6F 77 20 61 ink. Every now a 6E 64 20 74 68 65 6E 20 74 68 6F 2C 20 49 20 73 nd then tho, I s 74 61 72 74 20 67 65 74 74 69 6E 67 20 61 20 6C tart getting a l 6F 74 20 6F 66 0D 0A 3E 20 61 6C 61 72 6D 73 20 ot of.> alarms 66 6F 72 20 41 49 4D 2C 20 73 6F 20 49 20 6C 6F for AIM, so I lo 6F 6B 20 61 74 20 74 68 65 20 70 61 63 6B 65 74 ok at the packet 73 20 61 6E 64 20 73 75 63 68 2E 20 20 0D 0A 3E s and such. .> 0D 0A 3E 20 49 74 27 73 20 6C 69 6B 65 20 74 68 .> It's like th 65 20 61 69 6D 20 70 61 63 6B 65 74 73 20 67 6F e aim packets go 69 6E 67 20 69 6E 20 74 6F 20 74 68 65 20 70 72 ing in to the pr 6F 78 79 20 73 65 72 76 65 72 20 61 72 65 20 73 oxy server are s 6F 6D 65 68 6F 77 0D 0A 3E 20 6F 76 65 72 77 72 omehow.> overwr 69 74 69 6E 67 20 74 68 65 20 70 61 63 6B 65 74 iting the packet 20 74 68 61 74 20 73 6E 6F 72 74 20 69 73 20 63 that snort is c 75 72 72 65 6E 74 6C 79 20 65 78 61 6D 69 6E 69 urrently examini 6E 67 20 69 6E 20 6D 65 6D 6F 72 79 20 61 6E 64 ng in memory and 0D 0A 3E 20 63 61 75 73 69 6E 67 20 73 6E 6F 72 .> causing snor 74 20 74 6F 20 74 68 69 6E 6B 20 69 74 27 73 20 t to think it's 61 6E 20 41 49 4D 20 70 61 63 6B 65 74 20 73 6F an AIM packet so 20 69 74 20 74 68 65 6E 20 73 65 6E 64 73 20 61 it then sends a 6E 20 61 6C 65 72 74 2E 20 20 49 0D 0A 73 61 79 n alert. I.say 0D 0A 3E 20 74 68 69 73 20 61 73 20 77 68 65 6E .> this as when 20 49 20 6C 6F 6F 6B 20 61 74 20 74 68 65 20 70 I look at the p 61 63 6B 65 74 20 64 65 74 61 69 6C 73 20 66 6F acket details fo 72 20 74 68 65 20 61 6C 61 72 6D 2C 20 69 74 27 r the alarm, it' 73 20 66 72 6F 6D 20 61 0D 0A 3E 20 64 69 66 66 s from a.> diff 65 72 65 6E 74 20 6D 61 63 68 69 6E 65 20 74 68 erent machine th 61 6E 20 74 68 65 20 6F 6E 65 20 74 68 61 74 20 an the one that 73 65 6E 74 20 74 68 65 20 61 69 6D 20 6D 65 73 sent the aim mes 73 61 67 65 2C 20 74 6F 20 61 20 6D 61 63 68 69 sage, to a machi 6E 65 20 6F 6E 0D 0A 3E 20 74 68 65 20 69 6E 74 ne on.> the int 65 72 6E 65 74 20 74 68 61 74 20 69 73 20 4E 4F ernet that is NO 54 20 61 6F 6C 2C 20 61 6E 64 20 74 68 65 20 70 T aol, and the p 61 79 6C 6F aylo -----Original Message----- From: tyler () ibill com [mailto:tyler () ibill com] Sent: Thursday, February 07, 2002 10:12 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Packet weirdness Now I can just download/compile/install over old binaries and my demarc system will still work and all, yes? tf. -----Original Message----- From: Chris Green [mailto:cmg () uab edu] Sent: Thursday, February 07, 2002 10:06 AM To: tyler () ibill com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Packet weirdness tyler () ibill com writes:
Gang, Here's my scenario.. I have a box that is setup running apache and snort with demarc. Works great. I've also turned on Proxying in apache and put
a
pass rule in for traffic from that box [so we can allow certain users
access
to AIM through the proxy, but alert on unauth users]. This setup should work fine I would think. Every now and then tho, I start getting a lot of alarms for AIM, so I look at the packets and such. It's like the aim packets going in to the proxy server are somehow overwriting the packet that snort is currently examining in memory and causing snort to think it's an AIM packet so it then sends an alert. I
say
this as when I look at the packet details for the alarm, it's from a different machine than the one that sent the aim message, to a machine on the internet that is NOT aol, and the payload STARTS with part of an AIM packet, but then changes to that of an email message, web request, or some other non-AIM traffic. Unfortunately I don't have a copy of an example packet, as this is only intermittent and doesn't happen all the time, but does anyone have any insight into this? I'm using snort 1.8.3 on Redhat 7.2...
Try updating to http://www.snort.org/downloads/snort-stable-snapshot.tar.gz There have been a few weirdnesses fixed lately. Soon ,we should doing a beta2 of 1.8.4 If it continues to happen, please do start saving tcpdump formatted logs.
tf. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at postmaster () ibill com. **********************************************************************
For what it's worth, I hate these. Doubt you have control over them :-) -- Chris Green <cmg () uab edu> You now have 14 minutes to reach minimum safe distance. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UPDATE: RE: Packet weirdness tyler (Feb 07)