Snort mailing list archives
snort-2.8.2.1 and udp alerts
From: Alex <linux () vfemail net>
Date: Tue, 24 Jun 2008 16:45:20 +0300
hello snort experts,
I am using snort-2.8.2.1 compiled with mysql support. Currently, snort it logs
and produce UDP alerts even it seems that UDP support is disabled in config
file.
Starting snort, i can see in terminal:
[root@ltm ~]# snort -c /etc/snort/snort.conf
...
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Track ICMP sessions: INACTIVE
...
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
...
In snort.conf i can see only 2 lines related to UDP:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
so here, no doubt that UDP is DISABLED
and
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
If UDP support is disabled in snort.conf, which line match and produce the
following UDP alerts? I'm not convinced that preprocessor sfportscan will
generate it. Can anybody give me a hint?
MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
255.255.255.255:1434 UDP
or
MISC UPnP malformed advertisement 2008-06-23 16:21:10 169.254.209.225:1900
239.255.255.250:1900 UDP
below, comes my entire snort.conf file:
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules
dynamicpreprocessor directory /usr/lib/snort-2.8.2.1_dynamicpreprocessor/
dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
output database: log, mysql, user=snort password=password dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
Regards,
Alx
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-2.8.2.1 and udp alerts Alex (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 26)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)