Snort mailing list archives

Odd Information

From: Kevin Smith <kjsmith () tm net>
Date: Sat, 16 Apr 2005 16:28:48 -0400

 Hey everyone,

I have noticed every once in a while a rule of mine is broken. I am notsure what is causing it and was wondering if anyone had any ideas.


Here is my rule.

var NETWORK [64.7.160.0/19]

pass tcp ![$NETWORK] any <> any any
pass udp ![$NETWORK] any <> any any
pass icmp ![$NETWORK] any <> any any

log tcp $NETWORK any -> any any (flowbits:isnotset,tagged;flowbits:set,tagged; threshold: type limit, track by_src, count 5,seconds 30; tag:session, 600, seconds;)

Now what is odd that I get maybe 1 or 2 of these every few days (sorryif the HTML throws anyone off).

#0-(1-76619)<http://64.7.161.19/acid/acid_qry_alert.php?submit=%230-%281-76619%29&sort_order=>[snort <http://www.snort.org/snort-db/sid.html?sid=46>]snort_decoder: TCP Data Offset is less than 5! 2005-04-1610:00:35 221.14.148.19<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:064.7.175.54<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.175.54&netmask32>:0TCP#1-(1-76620)<http://64.7.161.19/acid/acid_qry_alert.php?submit=%231-%281-76620%29&sort_order=>[snort <http://www.snort.org/snort-db/sid.html?sid=46>]snort_decoder: TCP Data Offset is less than 5! 2005-04-1610:02:31 221.14.148.19<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:064.7.191.181<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.191.181&netmask32>:0TCP#2-(1-76646)<http://64.7.161.19/acid/acid_qry_alert.php?submit=%232-%281-76646%29&sort_order=>[snort <http://www.snort.org/snort-db/sid.html?sid=46>]snort_decoder: TCP Data Offset is less than 5! 2005-04-1610:04:19 221.14.148.19<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:064.7.184.171<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.184.171&netmask32>:0TCP#3-(1-76655)<http://64.7.161.19/acid/acid_qry_alert.php?submit=%233-%281-76655%29&sort_order=>[snort <http://www.snort.org/snort-db/sid.html?sid=46>]snort_decoder: TCP Data Offset is less than 5! 2005-04-1610:04:58 221.14.148.19<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:064.7.181.186<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.181.186&netmask32>:0TCP#4-(1-76656)<http://64.7.161.19/acid/acid_qry_alert.php?submit=%234-%281-76656%29&sort_order=>[snort <http://www.snort.org/snort-db/sid.html?sid=46>]snort_decoder: TCP Data Offset is less than 5! 2005-04-1610:05:02 221.14.148.19<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:064.7.188.29<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.188.29&netmask32>:0TCP#5-(1-76689)<http://64.7.161.19/acid/acid_qry_alert.php?submit=%235-%281-76689%29&sort_order=>[snort <http://www.snort.org/snort-db/sid.html?sid=46>]snort_decoder: TCP Data Offset is less than 5! 2005-04-1610:05:54 221.14.148.19<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:064.7.186.38<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.186.38&netmask32>:0TCP#6-(1-76690)<http://64.7.161.19/acid/acid_qry_alert.php?submit=%236-%281-76690%29&sort_order=>[snort <http://www.snort.org/snort-db/sid.html?sid=46>]snort_decoder: TCP Data Offset is less than 5! 2005-04-1610:06:00 221.14.148.19<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:064.7.189.109<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.189.109&netmask32>:0TCP#7-(1-76736)<http://64.7.161.19/acid/acid_qry_alert.php?submit=%237-%281-76736%29&sort_order=>[snort <http://www.snort.org/snort-db/sid.html?sid=46>]snort_decoder: TCP Data Offset is less than 5! 2005-04-1610:07:24 221.14.148.19<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:064.7.186.246<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.186.246&netmask32>:0TCP

Anyway, I am wondering do I have something setup wrong in the rule setthat is letting these few IP addresses through? Why is the port 0?


Thanks for your help.
Kevin

Current thread:

Odd Information Kevin Smith (Apr 16)
- RE: Odd Information Lee Clemens (Apr 17)