[Snort-sigs] RE: Snort-sigs digest, Vol 1 #246 - 8 msgs

wh1ten0ise at ...366... wh1ten0ise at ...366...
Thu May 30 20:19:03 EDT 2002


>
>Early morning, first light, ssh in from home to office (NOT x11, NOT
>tunneled x11) get 465 snort alerts against the x11.rules
>(snort 1.87Beta5, including x11.rules)
>Freebsd 4.5
>
> egrep -c ^TCP
>465
>snort sig says flags A+ (Ack plus anything?)
>Many of the packets logged had AP (Ack and Psh)
>TCP:  port=6000 -> dport: 22  flags=***AP*** seq=401500876
>egrep -c '^TCP.*\*AP\*'
>418
>Many only had A
>TCP:  port=6000 -> dport: 22  flags=***A**** seq=401492556
> egrep -c  '^TCP.*\*A\*'
>47
>
>So, question one:
>why did snort record those 47 rules?
>I thought A+ ment the Ack flag any at least one more flag?
>

Answer:
The rule is written to trigger any time someone uses port 6000.
Port 600 is the normal listener port for X11.  
When you create a conversation (any socket connection) your IP stack
will allocate some random available socket.  You got lucky and drew
port 6000 as the originating port.  Therefore you had a conversation 
on port 6000.  As far as snort is concerned, you are X11.

The right solution would be to change the flags on the rule to have
flags=SA so we have to have a 'new conversation with port 6000 as the
active listener port.

tc


__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop at ...367...! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/





More information about the Snort-sigs mailing list