Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anyone else seeing lots of 129 20 this am?

From: James Lay via Snort-users <snort-users () lists snort org>
Date: Mon, 02 Sep 2019 10:22:11 -0600
And one more to the list of new sigs that went through the roof right
after update:

[133:59:1] (dcerpc2) SMB - Nextcommand specified in SMB2 header is
beyond payload boundary 

I purposely disabled updates Friday in order to add the preview three
to the threshold file, but this one bit me this morning as I re-enabled 
these.

James

On Sat, 2019-08-31 at 02:49 +0000, Joel Esler (jesler) wrote:

Maybe it was just added to the preprocessor.rules then?   That makes
sense. 

Sent from my  iPhone

On Aug 30, 2019, at 16:30, James Lay via Snort-users <
snort-users () lists snort org> wrote:



So judging by the lack of sid 20 in my gen-msg.map:
 
<2019-08-30 14_18_14-ids.png>
 
I'm betting this is a new-ish stream5 rule?  I don't have 120:18
either...thanks Joel.
 
James 
 
On 2019-08-30 13:55, Joel Esler (jesler) via Snort-users wrote:

We don’t make changes to preprocess it’s in a rule update. It’s
 possible that this alert may not have been included in the past
and we
 just introduced it.  That’s a possibility.  But we didn’t change
 any code with this release.  
 
 Sent from my  iPhone
 


On Aug 30, 2019, at 15:42, Daniel Rieille <
dan.rieille () gmail com>
 wrote:




 
 That's what we did.
 We got more than 250k of them today. Sguil server died. We had
to
 delete those 250k alerts before being able to restart it
 successfully...
 
 Le ven. 30 août 2019 à 21:32, Joel Esler (jesler) via Snort-
users
 <snort-users () lists snort org> a écrit :
 


As you all know, however, that is a preprocessor alert.  It
may be
 as simple as shutting that preprocessor rule off?
 
 On 8/30/19, 2:17 PM, "Snort-users on behalf of Michael
Steele"
 <snort-users-bounces () lists snort org on behalf of
 michaels () winsnort com> wrote:
 
 I noticed that too on the last Snort update. Getting a LOT
 more alerts. I also updated the rules at the same time and
never
 went back to the old rules to see if that was where the
change
 came in?
 
 WINSNORT.com Management Team Member
 --
 ********************************************************
 *     Since 2002 ~~ Visit http://www.winsnort.com
 *      ~~ FREE Windows installation Tutorials ~~
 *              ~~ FREE Support Forums ~~
 * Snort: Open Source Network IDS - http://www.snort.org
 ********************************************************
 
 -----Original Message-----
 From: Snort-users <snort-users-bounces () lists snort org> On
 Behalf Of James Lay via Snort-users
 Sent: Friday, August 30, 2019 11:26 AM
 To: Joel Esler (jesler) <jesler () cisco com>
 Cc: Snort <snort-users () lists snort org>
 Subject: Re: [Snort-users] Anyone else seeing lots of 129 20
 this am?
 
 Something as in snort ;)  Same traffic, a LOT more alerts
 right after updates.
 
 On 2019-08-30 09:23, Joel Esler (jesler) wrote:

When you say "something changed", do you mean "Snort"


changed.  Or

"attacker behavior" may be changing?
 


On Aug 30, 2019, at 8:13 AM, James Lay via Snort-users
 <snort-users () lists snort org> wrote:
 
 Yea something changed....I run ssh on a non-standard
port


and now I'm

seeing:
 
 [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server


response before

client request
 
 after updating rules this AM:
 
 Aug 30 01:10:22 snort[31692]: Decoding Ethernet Aug 30


01:17:53

snort[31692]: [120:18:3] (http_inspect) PROTOCOL-OTHER
HTTP


server

response before client request
 
 that http_inspect hit rule is the first time I've seen
that


in my

logs....ever 😉
 
 James
 
 On Fri, 2019-08-30 at 06:05 -0600, James Lay via


Snort-users wrote:

Seeing massive amounts of [129:20:1] TCP session
without


3-way

handshake this morning....seems to be firing off on RST


packets.

 James
 
 <Screenshot from 2019-08-30 06-05-03.png>
 
 _______________________________________________
 
 Snort-users mailing list
 
 Snort-users () lists snort org
 
 Go to this URL to change user options or unsubscribe:
 
 https://lists.snort.org/mailman/listinfo/snort-users
 
 To unsubscribe, send an email to:
 
 snort-users-leave () lists snort org
 
 Please visit http://blog.snort.org [1] to stay current
on


all the

latest Snort news!
 
 Please follow these rules:
 
https://snort.org/faq/what-is-the-mailing-list-etiquette


 _______________________________________________
 Snort-users mailing list
 Snort-users () lists snort org
 Go to this URL to change user options or unsubscribe:
 https://lists.snort.org/mailman/listinfo/snort-users
 
 To unsubscribe, send an email to:
 snort-users-leave () lists snort org
 
 Please visit http://blog.snort.org to stay current on
all


the latest

Snort news!
 
 Please follow these rules:
 https://snort.org/faq/what-is-the-mailing-list-etiquette


 
 
 Links:
 ------
 [1] http://blog.snort.org/


_______________________________________________
 Snort-users mailing list
 Snort-users () lists snort org
 Go to this URL to change user options or unsubscribe:
 https://lists.snort.org/mailman/listinfo/snort-users
 
 To unsubscribe, send an email to:
 snort-users-leave () lists snort org
 
 Please visit http://blog.snort.org to stay current on all
the
 latest Snort news!
 
 Please follow these rules:
 https://snort.org/faq/what-is-the-mailing-list-etiquette
 
 _______________________________________________
 Snort-users mailing list
 Snort-users () lists snort org
 Go to this URL to change user options or unsubscribe:
 https://lists.snort.org/mailman/listinfo/snort-users
 
 To unsubscribe, send an email to:
 snort-users-leave () lists snort org
 
 Please visit http://blog.snort.org to stay current on all
the
 latest Snort news!
 
 Please follow these rules:
 https://snort.org/faq/what-is-the-mailing-list-etiquette
 
 _______________________________________________
 Snort-users mailing list
 Snort-users () lists snort org
 Go to this URL to change user options or unsubscribe:
 https://lists.snort.org/mailman/listinfo/snort-users
 
 To unsubscribe, send an email to:
 snort-users-leave () lists snort org
 
 Please visit http://blog.snort.org to stay current on all
the
 latest Snort news!
 
 Please follow these rules:
 https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
 Snort-users mailing list
 Snort-users () lists snort org
 Go to this URL to change user options or unsubscribe:
 https://lists.snort.org/mailman/listinfo/snort-users
 
     To unsubscribe, send an email to:
     snort-users-leave () lists snort org
 
 Please visit http://blog.snort.org to stay current on all the
latest Snort news!
 
 Please follow these rules:
 https://snort.org/faq/what-is-the-mailing-list-etiquette



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

    To unsubscribe, send an email to:
    snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the
latest Snort news!

Please follow these rules: 
https://snort.org/faq/what-is-the-mailing-list-etiquette




_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: