Snort mailing list archives
Re: home_net as source?
From: Michael Wisniewski <wiz561 () gmail com>
Date: Sat, 8 Mar 2014 16:23:34 -0600
So, besides the port scanner, does anybody have an idea why home_net is
sometime the source?
For example, I had an alert for:
03/08-16:17:26.266039 [**] [1:15362:10] INDICATOR-OBFUSCATION obfuscated
javascript excessive fromCharCode - potential attack [**] [Classification:
Misc activity] [Priority: 3] {TCP} 23.210.xxx.xxx:80 -> 71.201.xxx.xxx:54893
23.210.xxx.xxx = External IP
71.201.xxx.xxx = Mine/home_net IP
I would assume the source would be my IP:54893 and the destination would be
the external web site. But for some reason, it throws it the other way
around.
Thanks in advanced.
On Fri, Mar 7, 2014 at 12:47 PM, Turnbough, Bradley E. <
bturnbough () belcan com> wrote:
I have to agree with Jeremy. It's finicky at best and downright useless at worst. Couple that with the separate logging mechanism and you've got yourself a poorly implemented solution to a growing problem. ________________________________ From: Jeremy Hoel [jthoel () gmail com] Sent: Friday, March 07, 2014 11:56 AM To: Michael Wisniewski Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] home_net as source? In my experience, I fine the portscan processor is, well, finicky. When we have it on, we get alerts for clients talking to Windows Domain Controllers and file servers. So it's value for client to server on the inside is hard to verify/tune/tweak. On Fri, Mar 7, 2014 at 3:29 PM, Michael Wisniewski <wiz561 () gmail com <mailto:wiz561 () gmail com>> wrote: I have a question about some of the results I'm seeing. The majority of results are having the traffic go as expected with external/outside IP's alerting on my home_net address. Some alerts have my home_net as the source and outside IP's as the destination. This is most prevalent in port scanning. I'm about 99% positive that I'm not starting the portscan from inside...but for some reason, snort thinks I am. I'm just wondering what the cause of this is. To me, it seems kind of backwards, but I know that depending on where the sensor is, it might make a difference. My setup is that I mirrored the port the cable modem is plugged into and then that goes into the firewall... So... Cable Modem -> Switch Port 1 Firewall/Router -> Port 2 Snort sensor -> Port 5 Mirrored port 1. Any help is appreciated. Thanks! ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge netGo to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- home_net as source? Michael Wisniewski (Mar 07)
- Re: home_net as source? Jeremy Hoel (Mar 07)
- Re: home_net as source? Turnbough, Bradley E. (Mar 07)
- Re: home_net as source? Michael Wisniewski (Mar 08)
- Re: home_net as source? Jeremy Hoel (Mar 08)
- Re: home_net as source? Turnbough, Bradley E. (Mar 07)
- Re: home_net as source? Jeremy Hoel (Mar 07)