Snort mailing list archives
Re: only ICMP packets!
From: "Basil Saragoza" <snortlst () hotmail com>
Date: Fri, 22 Feb 2002 12:12:25 -0500
Try to set your HOME_NET to 'any'. ----- Original Message ----- From: "Heyde Fritjof" <fritjof.heyde () ivm-solve-it com> To: <snort-users () lists sourceforge net> Sent: Friday, February 22, 2002 10:28 AM Subject: [Snort-users] only ICMP packets! Hi there! I hope this is not a drinking question! :) I have snort (1.8.3) up and running on my Suse Linux mashine, sniffing on the DSL-Device ppp0, plus Acid is installed and running. First question: I only get ICMP traffic. At least thats what ACID is reporting. Traffic Profile by Protocol is 100% ICMP. Sounds a bit weird to me. Is this normal? Or do I have a false ACID conf? Or is this a really dumb question! :) Second question: The ppp0 device is a virtual device for the DSL-Modem. It is connnected to the TAE (Telefone-outlet) via eth1 (10MBit - Card) (eth1->DSL-Modem->TAE physical-Order) I think the way the packets take coming from the outside is: ->TAE->eth1->ppp0 Is it possible to sniff on the eth1 device? My guess would be no, cause the ppp0 translates the tcp... packets into DSL readable packets. So snort would not recognize any packets. Is this correct? greets Bydlo -----Ursprüngliche Nachricht----- Von: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]Im Auftrag von Mark Mason Gesendet am: Freitag, 22. Februar 2002 15:24 An: 'Post, ME (Meint)' Cc: 'snort-users () lists sourceforge net' Betreff: RE: [Snort-users] bug? I have also seen this with my set up. I don't believe it is a bug, more of a false positive. I set up a pass rule for my workstation and it stopped (and snort doesn't report my p0rn surfin either). :) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Post, ME (Meint) Sent: Friday, February 22, 2002 2:52 AM To: 'rdd () cert org' Cc: 'snort-users () lists sourceforge net' Subject: [Snort-users] bug? Hello, I'm wondering whether the following incident is a bug or an oversight on my part. I'd appreciate some feedback on this: Yesterday I noticed in the ACID console that one individual was quite adamant in poking my server. I decided to check if the logged IP address hosted a website so I could gain more knowledge about the intruder. Upon entering the website I was literally jumped by Nimda viruses, which was dutifully logged by Snort as part of the web-misc rules. My anti-virus software blocked the Nimda virus. From this moment on my ACID log filled itself with warnings that my webserver was attempting to infiltrate me with readme.eml attacks. Every time I requested an ACID page with the warning my logs filled with 60-70 warnings concerning readme.eml attacks. My webserver is a Linux machine and therefore not susceptible to Nimda. I don't have Samba shares installed so the virus hasn't jumped to my work machine. I did some extensive scanning with two anti-virus programs on my work machine and both didn't find anything. I scanned my Linux server with two anti-virus programs and they didn't find anything either. My suspicion is that Snort is triggered to report a Nimda readme.eml attack by the reporting of ACID on the first attack, i.e. it is a cacade of warnings because every new warning generates a new Snort log entry. In other words, the fact that Snort has logged the first Nimda attack is reported by ACID. Snort detects the phrase "readme.eml" in the ACID report page and registers a new attack (registering an attack from my webserver where the acid pages are generated). This new attack is reported by ACID, causing new warnings etc... Is this a correct assumption on my part? If so will this be corrected in a new version? Right now I have disabled Nimda warnings in the web-misc.rules file but this is not an ideal solution. Regards, Meint p.s. I like ACID a lot, keep up the good work! ================================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================================== The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. ================================================================== _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- only ICMP packets! Heyde Fritjof (Feb 22)
- Re: only ICMP packets! Basil Saragoza (Feb 22)