Snort mailing list archives

Previous By Date Next
Previous By Thread Next

UPDATE: RE: Packet weirdness

From: tyler () ibill com
Date: Thu, 7 Feb 2002 10:24:56 -0500
Here's a packet capture.. and the packet that it got combined with was my
reply to the mailing list :-D  Anyhow, this traffic had a source IP that was
NOT my workstation or the mail server, and a dest IP of  216.10.102.235:80
....  Weird.. Anyhow, I'll try the upgrade..

tf.

2A 02 60 62 00 12 00 01 00 17 00 00 00 00 00 17   *.`b............
00 01 00 03 00 18 00 01 2A 02 60 63 00 0A 00 01   ........*.`c....
00 06 00 00 00 00 00 06 2A 02 60 64 00 14 00 01   ........*.`d....
00 08 00 00 00 00 00 08 00 01 00 02 00 03 00 04   ................
00 05 2A 02 60 65 00 2C 00 18 00 06 00 00 00 00   ..*.`e.,........
00 06 00 02 92 69 D8 1C A6 A2 11 D3 AE E2 E2 48   .....i.........H
9E 91 D6 E7 5D 5E 17 08 55 AA 11 D3 B1 43 00 60   ....]^..U....C.`
B0 FB 1E CB 2A 02 60 66 00 1A 00 01 00 02 00 00   ....*.`f........
00 00 00 02 00 01 00 03 00 10 04 7B 00 18 00 01   ...........{....
00 10 04 7B 35 B5 C8 B4 AC C6 72 06 53 32 E8 F0   ...{5.....r.S2..
E6 DD DB 45 E1 A2 88 95 D3 11 D3 9F D4 62 21 68   ...E.........b!h
4E 31 04 AE 8A EF 5F 3A AA C3 9A 0F 5A 95 34 63   N1...._:....Z.4c
E6 93 83 F3 11 D3 A3 F6 15 38 11 33 0F 97 16 DC   .........8.3....
3B 18 86 C6 8D 0A 1B AC A4 C7 6F 88 42 A8 B9 0F   ;.........o.B...
7A FD DE 16 94 DF F8 C4 CF 64 0E 7C E6 B0 B9 1D   z........d.|....
90 B0 48 D2 E0 89 9A E7 5F 9F 79 36 98 08 F9 52   ..H....._.y6...R
25 CB 34 6B 95 26 56 17 EC 0B 15 2A 02 0E 7E 44   %.4k.&V....*..~D
33 E6 E5 6D BF 7B 8A ED 21 96 CB 83 B3 00 17 44   3..m.{..!......D
3D E2 04 74 B6 35 86 88 2F 9D F3 FC 8D 58 47 55   =..t.5../....XGU
2E 60 2F BE 9F 1E 3B 6A 5B 17 12 CD FF DD 30 0D   .`/...;j[.....0
55 42 03 36 71 D8 2C 52 E0 BD 34 9D 17 4F E3 28   UB.6q.,R..4..O.(
AB FF 2C 05 00 74 38 A8 A6 FC A9 99 30 7D 7E 1D   ..,..t8.....0}~.
DB 8A 0F C2 32 43 D7 EC 1C 92 D6 99 97 E4 D1 3B   ....2C.........;
5C 49 71 2B 0D 40 BE BB 63 20 8C 11 23 5D 72 E5   \Iq+@..c ..#]r.
31 A4 80 6D D0 29 80 00 74 2D 75 73 65 72 73 40   1..m.)..t-users@
6C 69 73 74 73 2E 73 6F 75 72 63 65 66 6F 72 67   lists.sourceforg
65 2E 6E 65 74 0D 0A 53 75 62 6A 65 63 74 3A 20   e.net.Subject: 
52 65 3A 20 5B 53 6E 6F 72 74 2D 75 73 65 72 73   Re: [Snort-users
5D 20 50 61 63 6B 65 74 20 77 65 69 72 64 6E 65   ] Packet weirdne
73 73 0D 0A 0D 0A 0D 0A 74 79 6C 65 72 40 69 62   ss...tyler@ib
69 6C 6C 2E 63 6F 6D 20 77 72 69 74 65 73 3A 0D   ill.com writes:
0A 0D 0A 3E 20 47 61 6E 67 2C 0D 0A 3E 0D 0A 3E   ..> Gang,.>.>
20 48 65 72 65 27 73 20 6D 79 20 73 63 65 6E 61    Here's my scena
72 69 6F 2E 2E 20 20 49 20 68 61 76 65 20 61 20   rio..  I have a 
62 6F 78 20 74 68 61 74 20 69 73 20 73 65 74 75   box that is setu
70 20 72 75 6E 6E 69 6E 67 20 61 70 61 63 68 65   p running apache
20 61 6E 64 20 73 6E 6F 72 74 0D 0A 3E 20 77 69    and snort.> wi
74 68 20 64 65 6D 61 72 63 2E 20 20 57 6F 72 6B   th demarc.  Work
73 20 67 72 65 61 74 2E 20 20 49 27 76 65 20 61   s great.  I've a
6C 73 6F 20 74 75 72 6E 65 64 20 6F 6E 20 50 72   lso turned on Pr
6F 78 79 69 6E 67 20 69 6E 20 61 70 61 63 68 65   oxying in apache
20 61 6E 64 20 70 75 74 0D 0A 61 0D 0A 3E 20 70    and put.a.> p
61 73 73 20 72 75 6C 65 20 69 6E 20 66 6F 72 20   ass rule in for 
74 72 61 66 66 69 63 20 66 72 6F 6D 20 74 68 61   traffic from tha
74 20 62 6F 78 20 5B 73 6F 20 77 65 20 63 61 6E   t box [so we can
20 61 6C 6C 6F 77 20 63 65 72 74 61 69 6E 20 75    allow certain u
73 65 72 73 0D 0A 61 63 63 65 73 73 0D 0A 3E 20   sers.access.> 
74 6F 20 41 49 4D 20 74 68 72 6F 75 67 68 20 74   to AIM through t
68 65 20 70 72 6F 78 79 2C 20 62 75 74 20 61 6C   he proxy, but al
65 72 74 20 6F 6E 20 75 6E 61 75 74 68 20 75 73   ert on unauth us
65 72 73 5D 2E 20 20 54 68 69 73 20 73 65 74 75   ers].  This setu
70 20 73 68 6F 75 6C 64 0D 0A 3E 20 77 6F 72 6B   p should.> work
20 66 69 6E 65 20 49 20 77 6F 75 6C 64 20 74 68    fine I would th
69 6E 6B 2E 20 45 76 65 72 79 20 6E 6F 77 20 61   ink. Every now a
6E 64 20 74 68 65 6E 20 74 68 6F 2C 20 49 20 73   nd then tho, I s
74 61 72 74 20 67 65 74 74 69 6E 67 20 61 20 6C   tart getting a l
6F 74 20 6F 66 0D 0A 3E 20 61 6C 61 72 6D 73 20   ot of.> alarms 
66 6F 72 20 41 49 4D 2C 20 73 6F 20 49 20 6C 6F   for AIM, so I lo
6F 6B 20 61 74 20 74 68 65 20 70 61 63 6B 65 74   ok at the packet
73 20 61 6E 64 20 73 75 63 68 2E 20 20 0D 0A 3E   s and such.  .>
0D 0A 3E 20 49 74 27 73 20 6C 69 6B 65 20 74 68   .> It's like th
65 20 61 69 6D 20 70 61 63 6B 65 74 73 20 67 6F   e aim packets go
69 6E 67 20 69 6E 20 74 6F 20 74 68 65 20 70 72   ing in to the pr
6F 78 79 20 73 65 72 76 65 72 20 61 72 65 20 73   oxy server are s
6F 6D 65 68 6F 77 0D 0A 3E 20 6F 76 65 72 77 72   omehow.> overwr
69 74 69 6E 67 20 74 68 65 20 70 61 63 6B 65 74   iting the packet
20 74 68 61 74 20 73 6E 6F 72 74 20 69 73 20 63    that snort is c
75 72 72 65 6E 74 6C 79 20 65 78 61 6D 69 6E 69   urrently examini
6E 67 20 69 6E 20 6D 65 6D 6F 72 79 20 61 6E 64   ng in memory and
0D 0A 3E 20 63 61 75 73 69 6E 67 20 73 6E 6F 72   .> causing snor
74 20 74 6F 20 74 68 69 6E 6B 20 69 74 27 73 20   t to think it's 
61 6E 20 41 49 4D 20 70 61 63 6B 65 74 20 73 6F   an AIM packet so
20 69 74 20 74 68 65 6E 20 73 65 6E 64 73 20 61    it then sends a
6E 20 61 6C 65 72 74 2E 20 20 49 0D 0A 73 61 79   n alert.  I.say
0D 0A 3E 20 74 68 69 73 20 61 73 20 77 68 65 6E   .> this as when
20 49 20 6C 6F 6F 6B 20 61 74 20 74 68 65 20 70    I look at the p
61 63 6B 65 74 20 64 65 74 61 69 6C 73 20 66 6F   acket details fo
72 20 74 68 65 20 61 6C 61 72 6D 2C 20 69 74 27   r the alarm, it'
73 20 66 72 6F 6D 20 61 0D 0A 3E 20 64 69 66 66   s from a.> diff
65 72 65 6E 74 20 6D 61 63 68 69 6E 65 20 74 68   erent machine th
61 6E 20 74 68 65 20 6F 6E 65 20 74 68 61 74 20   an the one that 
73 65 6E 74 20 74 68 65 20 61 69 6D 20 6D 65 73   sent the aim mes
73 61 67 65 2C 20 74 6F 20 61 20 6D 61 63 68 69   sage, to a machi
6E 65 20 6F 6E 0D 0A 3E 20 74 68 65 20 69 6E 74   ne on.> the int
65 72 6E 65 74 20 74 68 61 74 20 69 73 20 4E 4F   ernet that is NO
54 20 61 6F 6C 2C 20 61 6E 64 20 74 68 65 20 70   T aol, and the p
61 79 6C 6F                                       aylo

-----Original Message-----
From: tyler () ibill com [mailto:tyler () ibill com]
Sent: Thursday, February 07, 2002 10:12 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Packet weirdness


Now I can just download/compile/install over old binaries and my demarc
system will still work and all, yes?

tf.

-----Original Message-----
From: Chris Green [mailto:cmg () uab edu]
Sent: Thursday, February 07, 2002 10:06 AM
To: tyler () ibill com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Packet weirdness


tyler () ibill com writes:


Gang,

Here's my scenario..  I have a box that is setup running apache and snort
with demarc.  Works great.  I've also turned on Proxying in apache and put

a

pass rule in for traffic from that box [so we can allow certain users

access

to AIM through the proxy, but alert on unauth users].  This setup should
work fine I would think. Every now and then tho, I start getting a lot of
alarms for AIM, so I look at the packets and such.  

It's like the aim packets going in to the proxy server are somehow
overwriting the packet that snort is currently examining in memory and
causing snort to think it's an AIM packet so it then sends an alert.  I

say

this as when I look at the packet details for the alarm, it's from a
different machine than the one that sent the aim message, to a machine on
the internet that is NOT aol, and the payload STARTS with part of an AIM
packet, but then changes to that of an email message, web request, or some
other non-AIM traffic.

Unfortunately I don't have a copy of an example packet, as this is only
intermittent and doesn't happen all the time, but does anyone have any
insight into this?  I'm using snort 1.8.3 on Redhat 7.2...


Try updating to
http://www.snort.org/downloads/snort-stable-snapshot.tar.gz  There
have been a few weirdnesses fixed lately.  Soon ,we should doing a
beta2 of 1.8.4

If it continues to happen, please do start saving tcpdump formatted
logs.



tf.


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster () ibill com.
**********************************************************************


For what it's worth, I hate these. Doubt you have control over them :-)
-- 
Chris Green <cmg () uab edu>
You now have 14 minutes to reach minimum safe distance.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: