Snort mailing list archives
Re: Bad Protocol?
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 06 Jan 2003 11:11:38 -0500
This rule doesn't work because you can't stack ip_proto calls in a Snort rule (today). Disable it for now, I'm fixing the ip_proto detection plugin as we speak... -Marty On 1/6/03 10:13 AM, "Cloppert, Michael" <Michael.Cloppert () 53 com> wrote:
Mike, et. al., I was about to post a duplicate message - glad I checked my Snort folder first! Here are the details of what I'm seeing: I get events logged as "BAD TRAFFIC Non-Standard IP protocol". My Snort signature for this (sid=1620), as a sanity check, is: --- log ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:2;) --- Dumping one of the packets triggering this as tcpdump interprets it, I see: --- 22:49:10.175747 24.154.208.125.2534 > 204.90.1.66.443: . [tcp sum ok] 1078:1078(0) ack 7125 win 64191 (DF) (ttl 115, id 30015, len 40) 4500 0028 753f 4000 7306 dbdc xxxx xxxx yyyy yyyy 09e6 01bb 0cf9 3295 5212 5399 5010 fabf 0d86 0000 0000 0000 0000 --- ..obviously, by the 0x06 in the 9th byte, this is TCP. Surprisingly enough, when I look in my Snort database, I even see the "ip_proto" field in the "iphdr" table listed as "6"! This means Snort is even reading the packet properly. Why this is triggering is beyond me, but my burgeoning log files are becoming more than just a nuisance, as I have numerous packets like this. Any help is welcome!!! Mike-----Original Message----- From: Mike Koponick [mailto:mike () redhawk info] Sent: Sunday, January 05, 2003 12:30 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Bad Protocol? Now that I have decent loggin working, I'm getting some messages that appear to be normal packets, but SNORT seems to think that something is wrong with them. I think it might be a rule problem.. has anyone else seen this? 01/05-17:33:24.184929 [**] [118:1:1] (spp_conversation) Bad IP protocol! [**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514 Obviously, this is a SYSLOG message, which we do have a node on the network logging to the snort box for syslog parsing. This is what the packet looks like: [**] (spp_conversation) Bad IP protocol! [**] 01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514 UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171 Thanks in advance for your help. Mike ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Bad Protocol? Cloppert, Michael (Jan 06)
- Re: Bad Protocol? Martin Roesch (Jan 06)
- Re: Bad Protocol? Mark Schaefer (Jan 06)
- <Possible follow-ups>
- RE: Bad Protocol? Cloppert, Michael (Jan 06)
- Re: Bad Protocol? Martin Roesch (Jan 06)