[Snort-devel] Snort 1.7b7 is not reading the port in a ruleset
Hammerle, Tye F.
Tye.F.Hammerle at ...161...
Tue Dec 12 14:50:44 EST 2000
I'm seeing a humongous level of false hits due to snort hitting on content
and not paying attention to the ports. I first noticed this with the Napster
rules and digging a bit more it is happening on the older fP-Login rule and
some others. I've seen this for perhaps four or five days. I cvs update and
re-compile fairly often. I'm relatively certain this behavior wasn't in
1.7beta6 and showed up sometime after beta7 first came out.
Something seems to have changed in the portscan preprocessor as well. With
my current setting of 3 5 I saw very few hits, generally only when I had
matching SYN or SYN-FIN hits. I get so many of them now it's rediculous.
fP- login is supposed to hit on port 21 (rule from 08292k.rules)
alert tcp !$HOME_NET any <> $HOME_NET 21 (msg:"fP-Login";flags:PA;
[**] fP-Login [**]
12/12-13:10:10.736602 0:10:7B:CF:55:1 -> 0:90:27:A7:32:ED type:0x800
22.214.171.124:80 -> 126.96.36.199:41697 TCP TTL:52 TOS:0x0 ID:29696 IpLen:20
***AP*** Seq: 0x6748F49E Ack: 0xD6C30DB3 Win: 0x7BFC TcpLen: 20
FTP-Password is supposed to hit on port 21 (rule from snortfull.conf)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS213 - FTP-Password
Retrieval"; content:"passwd"; flags: AP;)
[**] FTP-Password [**]
12/12-13:10:16.193016 0:10:7B:CF:55:1 -> 0:90:27:A7:32:ED type:0x800
188.8.131.52:1387 -> 184.108.40.206:110 TCP TTL:116 TOS:0x0 ID:47380
IpLen:20 DgmLen:55 DF
***AP*** Seq: 0x18F3683 Ack: 0x3F19B98B Win: 0x168D TcpLen: 20
commandline for snort
/usr/local/bin/snort -D -o -e -d -A full -c /etc/snort.master
More information about the Snort-devel