Re: alert suppression

[CunningPike <cunningpike () gmail com>]

We get some of these alerts too, but only from a specific segment on our
LAN, so I'm currently trying to hunt down the reason. The fact that we
don't get them from any other segment leads me to think that they are
indicative of something rather than simple noise.

If I find out anything, I'll post it to the list

CP

On Wed, 2009-05-06 at 15:38 -0600, Jefferson, Shawn wrote:
> Further to this, I was able to figure out that the dcdrpc2
> preprocessor seems to be causing these tagged packet alerts.
> Specifically one example is:
>
>  
>
> Sig 34: Dcerpc2: Connection-oriented DCE/RPC – Fragment length on last
> fragment less than maximum negotiated fragment transmit size for
> client.
>
>  
>
> Searching on the IP address in the tagged packet, like Greg suggested
> and then sorting them by timestamp shows that this alert and a couple
> of tagged packets all have the same src/dst IP and port and timestamp
> in BASE.
>
>  
>
> Now I know what they are, I don’t want to get rid of them from showing
> up in BASE. ;)
>
>  
>
> Thanks,
>
> Shawn
>
>  
>
>                                    
> ______________________________________________________________________
> From:Greg Bowser [mailto:topnotcher () gmail com] 
> Sent: May 06, 2009 1:49 PM
> To: Jefferson, Shawn
> Cc: Joel Esler; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] alert suppression
>
>
>  
>
> > Yes I am running some of the emerging-threats rules, and grepping for
> “tag:” shows quite a few rules that use it.
> > Is there no way to determine which rule is generating the “tag:
> tagged packet” alert? What is it for exactly?
>
>
> Somtimes, it is nice to see the packets that follow the packet that
> triggered an alert. (i.e. the response).  The tag keyword accomplishes
> this.  Any of the rules you found that have the "tag" keyword will tag
> packets. (exactly which packets and how many is specified in the rule)
>
>
> If you look at the traffic with the same src/dst ip pair (in either
> order) before the tagged packets, you should see the rule that started
> the tagging.
>
>
> -- Greg
>
>
>  
>
>  
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image 
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
> this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users