Snort mailing list archives
Definite corruption of addresses in Snort 2.02 alert
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 29 Sep 2003 15:04:24 +1200
I had Snort just go off claiming that one of our DMZ hosts had just done something nasty against an Internet host, and when I checked - it hadn't.... I'm logging into SQL and syslog, and am managing that data via ACID. OK, the picture looks like this: Internet (hostZ) <---> DMZ (hostA,hostB) Snort can see all traffic between any host in the DMZ, including the Internet as well as other DMZ hosts (it's a hub). The home-made alert said one of our DMZ SMTP servers (hostA) had just dumped some "Internal use only" data onto an Internet SMTP server (hostZ), but when I checked the logs, I *know* that it was actually a connection between a *different* DMZ host (hostB) and the DMZ SMTP server (hostA)! I captured the SMTP transaction, and it definitely shows hostB talking to hostA, although Snort says it's IP address hostA talking to hostZ. i.e. the data matches a totally different pair of IP addresses. The rule looks like: alert tcp $TRIMBLE any -> !$TRIMBLE any (msg:"Trimble Internal Use Only seen at perimeter 1";content:"XXXXXXXX";nocase;tag: session, 10, packets;) and indeed the alert and tagged records all contained hostA talking to hostZ. Something is corrupt in there, any ideas? BTW, the syslog and SQL data back each other up, so it occurred earlier on (i.e. it isn't a MySQL problem or anything). -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Definite corruption of addresses in Snort 2.02 alert Jason Haar (Sep 28)
- flow rule Tantravahi Venkata Aditya (Sep 29)
- Re: flow rule Chris Green (Sep 30)
- Re: flow rule Matt Kettler (Sep 30)
- flow rule Tantravahi Venkata Aditya (Sep 29)