[Snort-devel] Snort 1.7b7 is not reading the port in a ruleset

Hammerle, Tye F. Tye.F.Hammerle at ...161...
Tue Dec 12 14:50:44 EST 2000


I'm seeing a humongous level of false hits due to snort hitting on content
and not paying attention to the ports. I first noticed this with the Napster
rules and digging a bit more it is happening on the  older fP-Login rule and
some others.  I've seen this for perhaps four or five days. I cvs update and
re-compile fairly often. I'm relatively certain this behavior wasn't in
1.7beta6 and showed up sometime after beta7 first came out.

Something seems to have changed in the portscan preprocessor as well. With
my current setting of   3  5  I saw very few hits, generally only when I had
matching  SYN or SYN-FIN hits. I get so many of them now it's rediculous.

Tye


fP- login is supposed to hit on port 21 (rule from 08292k.rules)

alert tcp !$HOME_NET any <> $HOME_NET 21 (msg:"fP-Login";flags:PA;
content:"USER"; logto:"FTP";)

[**] fP-Login [**]
12/12-13:10:10.736602 0:10:7B:CF:55:1 -> 0:90:27:A7:32:ED type:0x800
len:0x59A
209.73.186.21:80 -> 12.20.116.26:41697 TCP TTL:52 TOS:0x0 ID:29696 IpLen:20
DgmLen:1420 DF
***AP*** Seq: 0x6748F49E  Ack: 0xD6C30DB3  Win: 0x7BFC  TcpLen: 20



FTP-Password is supposed to hit on port 21 (rule from snortfull.conf)

alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS213 - FTP-Password
Retrieval"; content:"passwd"; flags: AP;)

[**] FTP-Password [**]
12/12-13:10:16.193016 0:10:7B:CF:55:1 -> 0:90:27:A7:32:ED type:0x800
len:0x45
199.227.189.84:1387 -> 12.20.118.13:110 TCP TTL:116 TOS:0x0 ID:47380
IpLen:20 DgmLen:55 DF
***AP*** Seq: 0x18F3683  Ack: 0x3F19B98B  Win: 0x168D  TcpLen: 20



commandline for snort
/usr/local/bin/snort -D -o -e  -d -A full -c /etc/snort.master





More information about the Snort-devel mailing list