Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Strange Alert discrepancy reading from log-file

From: "Daniel Clark" <djclark () telpacific com au>
Date: Sun, 18 May 2003 12:22:02 +1000


While working on my SANS IDS practical I came across an odd alert.



Alert 1#

[**] [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5!
[**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
11/15-13:53:21.926507 68.41.28.138:0 -> 170.129.225.41:0
TCP TTL:107 TOS:0x0 ID:35590 IpLen:20 DgmLen:48 DF
******** Seq: 0x50989C Ack: 0x2F470000 Win: 0x7002 TcpLen: 0
[Xref => http://www.kazaa.com]



the alert was produced by reading the following packet from a tcpdump
capture file


11/15/2002 03:53:21.926507 68.41.28.138.2115 > 170.129.225.41.2115:
. [bad tcp cksum befb!] 5281948:5281976(28) win 28674 (DF) (ttl 107, id
35590, len 48)
0x0000 4500 0030 8b06 4000 6b06 9863 4429 1c8a E..0.. ()  k  cD)..
0x0010 aa81 e129 0843 0843 0050 989c 2f47 0000 ...).C.C.P../G..
0x0020 0000 7002 14f0 b4f6 0000 0204 0218 0101 ..p.............


What is so strange is that the above alert was procuded using


snort -r dump.log 'host 68.41.28.138'


so that snort only looks at packets from this IP, whereas if I find the same
alert

when snort processed the whole dump.log file, then the alert looks like
this:-

Alert 2#


[**] [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5!
[**]
11/15-13:53:21.926507 68.41.28.138:0 -> 170.129.225.41:0
TCP TTL:107 TOS:0x0 ID:35590 IpLen:20 DgmLen:48 DF
******** Seq: 0x50989C Ack: 0x2F470000 Win: 0x7002 TcpLen: 0



Notice the absence of the strange Xref and the Classification.

I would have thought that Alert #2 is the correct alert as I can see

no reference to Kazaa indicated by the packet. Why does snort produce the

strange output when only looking at the single packet, when that is the

only packet associated with the specific IP 68.41.28.138 in the entire

dump file. A brief look at the source code left me more confused as I can't

find where the Xref's are stored for the snort_decoder or how it selects
them.



Any help appreciated,



Daniel Clark

djclark () telpacific com au



-------------------------------------------------------
This SF.net email is sponsored by: If flattening out C++ or Java
code to make your application fit in a relational database is painful, 
don't do it! Check out ObjectStore. Now part of Progress Software.
http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: