Snort mailing list archives
sudden sensitive_data threshold exceeded alerts
From: Agus <agus.262 () gmail com>
Date: Tue, 12 Apr 2011 12:50:13 -0300
Hi guys, im getting a lot of this alerts since a couple of days. [139:1:1] sensitive_data: sensitive data global threshold exceeded [Classification: Senstive Data] [Priority: 2]: {PROTO:254} I use snorby, and it doesnt show any payload, so y checked with tcpdump the alert log and found it. 19:22:55.629576 IP (tos 0x0, ttl 114, id 27323, offset 0, flags [DF], proto: unknown (254), length: 20) 190.99.x.x > 172.31.201.9: ip-proto-254 0 0x0000: 0000 5e00 0101 001e be79 5ca6 0800 4500 ..^......y\...E. 0x0010: 0014 6abb 4000 72fe 048c be63 6518 ac1f ..j. () r ce... 0x0020: c909 .. 19:24:02.978690 IP (tos 0x0, ttl 114, id 28108, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 6dcc 4000 72fe 017b ac1f c909 be63 ..m.@.r..{.....c 0x0020: 6518 e. 19:27:47.949156 IP (tos 0x0, ttl 114, id 29386, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 72ca 4000 72fe fc7c ac1f c909 be63 ..r.@.r..|.....c 0x0020: 6518 e. 19:42:40.923410 IP (tos 0x0, ttl 106, id 1779, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 06f3 4000 6afe 4d23 ac1f c909 d8ae ....@.j.M#...... 0x0020: 6dfe m. 19:42:47.858569 IP (tos 0x0, ttl 106, id 1895, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0767 4000 6afe 4caf ac1f c909 d8ae ...g@.j.L....... 0x0020: 6dfe m. 19:42:53.321362 IP (tos 0x0, ttl 106, id 1942, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0796 4000 6afe 4c80 ac1f c909 d8ae ....@.j.L....... 0x0020: 6dfe 9:42:54.058349 IP (tos 0x0, ttl 64, id 14491, offset 0, flags [DF], proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9: ip-proto-254 0 0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E. 0x0010: 0014 389b 4000 40fe 457b d8ae 6dfe ac1f ..8.@.@.E{..m... 0x0020: c909 .. 19:43:19.570238 IP (tos 0x0, ttl 64, id 14522, offset 0, flags [DF], proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9: ip-proto-254 0 0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E. 0x0010: 0014 38ba 4000 40fe 455c d8ae 6dfe ac1f ..8.@.@.E\..m... 0x0020: c909 .. 19:44:55.440976 IP (tos 0x0, ttl 64, id 15039, offset 0, flags [DF], proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9: ip-proto-254 0 0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E. 0x0010: 0014 3abf 4000 40fe 4357 d8ae 6dfe ac1f ..:.@.@.CW..m... 0x0020: c909 .. 19:46:27.467767 IP (tos 0x0, ttl 106, id 4001, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0fa1 4000 6afe 4475 ac1f c909 d8ae ....@.j.Du...... 0x0020: 6dfe m. 19:46:27.852439 IP (tos 0x0, ttl 106, id 4065, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0fe1 4000 6afe 4435 ac1f c909 d8ae ....@.j.D5...... 0x0020: 6dfe m. 19:46:27.854024 IP (tos 0x0, ttl 105, id 4070, offset 0, flags [DF], proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x: ip-proto-254 0 0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E. 0x0010: 0014 0fe6 4000 69fe 4530 ac1f c909 d8ae ....@.i.E0...... 0x0020: 6dfe m. and goes on. THe priv IP is a reverse proxy. IP Protocol 254: This is a core Internet Protocol with a protocol number of 254. As per IANA specification, this protocol is reserved for Private/Experimental/Internal use. Any hints to invastigate this deeper is appreciated. I am now looking at the src in dynamyc_preprocesors/sdf but i have no clue what to look Cheers ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sudden sensitive_data threshold exceeded alerts Agus (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Jason Wallace (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Ryan Jordan (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Agus (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Ryan Jordan (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Jason Wallace (Apr 12)