Snort mailing list archives
sudden sensitive_data threshold exceeded alerts
From: Agus <agus.262 () gmail com>
Date: Tue, 12 Apr 2011 12:50:13 -0300
Hi guys,
im getting a lot of this alerts since a couple of days.
[139:1:1] sensitive_data: sensitive data global threshold exceeded
[Classification: Senstive Data] [Priority: 2]: {PROTO:254}
I use snorby, and it doesnt show any payload, so y checked with
tcpdump the alert log and found it.
19:22:55.629576 IP (tos 0x0, ttl 114, id 27323, offset 0, flags [DF],
proto: unknown (254), length: 20) 190.99.x.x > 172.31.201.9:
ip-proto-254 0
0x0000: 0000 5e00 0101 001e be79 5ca6 0800 4500 ..^......y\...E.
0x0010: 0014 6abb 4000 72fe 048c be63 6518 ac1f ..j. () r ce...
0x0020: c909 ..
19:24:02.978690 IP (tos 0x0, ttl 114, id 28108, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 6dcc 4000 72fe 017b ac1f c909 be63 ..m.@.r..{.....c
0x0020: 6518 e.
19:27:47.949156 IP (tos 0x0, ttl 114, id 29386, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 72ca 4000 72fe fc7c ac1f c909 be63 ..r.@.r..|.....c
0x0020: 6518 e.
19:42:40.923410 IP (tos 0x0, ttl 106, id 1779, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 06f3 4000 6afe 4d23 ac1f c909 d8ae ....@.j.M#......
0x0020: 6dfe m.
19:42:47.858569 IP (tos 0x0, ttl 106, id 1895, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0767 4000 6afe 4caf ac1f c909 d8ae ...g@.j.L.......
0x0020: 6dfe m.
19:42:53.321362 IP (tos 0x0, ttl 106, id 1942, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0796 4000 6afe 4c80 ac1f c909 d8ae ....@.j.L.......
0x0020: 6dfe
9:42:54.058349 IP (tos 0x0, ttl 64, id 14491, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E.
0x0010: 0014 389b 4000 40fe 457b d8ae 6dfe ac1f ..8.@.@.E{..m...
0x0020: c909 ..
19:43:19.570238 IP (tos 0x0, ttl 64, id 14522, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E.
0x0010: 0014 38ba 4000 40fe 455c d8ae 6dfe ac1f ..8.@.@.E\..m...
0x0020: c909 ..
19:44:55.440976 IP (tos 0x0, ttl 64, id 15039, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
0x0000: 0050 569f 3e8f 001e be79 5ca6 0800 4500 .PV.>....y\...E.
0x0010: 0014 3abf 4000 40fe 4357 d8ae 6dfe ac1f ..:.@.@.CW..m...
0x0020: c909 ..
19:46:27.467767 IP (tos 0x0, ttl 106, id 4001, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0fa1 4000 6afe 4475 ac1f c909 d8ae ....@.j.Du......
0x0020: 6dfe m.
19:46:27.852439 IP (tos 0x0, ttl 106, id 4065, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0fe1 4000 6afe 4435 ac1f c909 d8ae ....@.j.D5......
0x0020: 6dfe m.
19:46:27.854024 IP (tos 0x0, ttl 105, id 4070, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
0x0000: 001e be79 5ca6 0000 5e00 0101 0800 4500 ...y\...^.....E.
0x0010: 0014 0fe6 4000 69fe 4530 ac1f c909 d8ae ....@.i.E0......
0x0020: 6dfe m.
and goes on. THe priv IP is a reverse proxy.
IP Protocol 254: This is a core Internet Protocol with a protocol
number of 254. As per IANA specification, this protocol is reserved
for Private/Experimental/Internal use.
Any hints to invastigate this deeper is appreciated. I am now looking
at the src in dynamyc_preprocesors/sdf but i have no clue what to look
Cheers
------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sudden sensitive_data threshold exceeded alerts Agus (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Jason Wallace (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Ryan Jordan (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Agus (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Ryan Jordan (Apr 12)
- Re: sudden sensitive_data threshold exceeded alerts Jason Wallace (Apr 12)