Snort mailing list archives

Re: Questions after 1.9.1 install

From: Erek Adams <erek () snort org>
Date: Sat, 15 Mar 2003 10:49:30 -0500 (EST)

On Fri, 14 Mar 2003, John Sage wrote:

Hello all. Long time no post..


Yeah, what's up with that?  You slacker!  ;-)

Finally put 1.9.1 on after rebuilding my firewall to get into the
2.4.18 Linux kernel series, and have I got questions :-/


First of all, the tcpdump logfile is timestamped in UNIX time:

901956 Mar 12 20:31 snort.log.1047528578


Normal.  Been that way since 1.8.6/7, IIRC.

Second, this rule is firing:

alert tcp $EXTERNAL_NET 1025:4320 -> $HOME_NET any (msg:"TCP inbound \
from range 1025-4320";)

but this one isn't:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP inbound to 445 \
Win2k SMB";)

even though I would think that the RTN list would check a specific
port before a port list..

Here's the alert itself:

[**] [1:0:0] TCP inbound from range 1025-4320 [**]
[Priority: 0]
03/13/03-20:24:48.401161 209.181.67.217:3195 -> 12.82.133.46:445
<snip>


Ok, may be a silly question, but which rule is first?  1.9.x still uses
FIFO to order the rules in the RTN list.  Swap the order for grins?

And thirdly, I'm getting mass these sorts of things:

[**] [117:1:1] (spp_portscan2) Portscan detected from 12.82.133.46:
6 targets 6 ports in 5 seconds [**]
03/13/03-20:09:52.818983 12.82.133.46:1034 -> 198.133.199.110:53

which is my caching-only nameserver talking outbound to..

..a nameserver...

[toot@tweedle /tmp]# host 198.133.199.110
110.199.133.198.in-addr.arpa domain name pointer arrowroot.arin.net.


Yep, portscan2 is a noisy lil bugger.  Either use preprocessor
portscan2-ignorehosts: 12.82.133.46 or use s BPF filter to drop that
traffic.

        src host 12.82.133.46 and dst host 198.133.199.110 and dst port 53

Should do the trick.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Questions after 1.9.1 install John Sage (Mar 14)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 14)
  - Re: Questions after 1.9.1 install John Sage (Mar 15)
    - Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 15)
- Re: Questions after 1.9.1 install Erek Adams (Mar 15)
  - Re: Questions after 1.9.1 install John Sage (Mar 15)
    - Re: Questions after 1.9.1 install Erek Adams (Mar 15)
- Re: Questions after 1.9.1 install Chris Green (Mar 21)