[Snort-sigs] fault positives

studentmm08.pool-id at ...1755... studentmm08.pool-id at ...1755...
Wed Aug 13 05:24:16 EDT 2003


hello,

i have a little problem with my rules and hope one of you can help me plz.

i use snort v2.0.1; 
command to start snort:  /usr/local/bin/snort -D -i eth1 -o -c 
/root/snort/snort.eth1.conf;
all preprocessors are disabled;

part of the configfile:

-----
var NET1 [10.223.4.34/32, 10.223.4.35/32, 10.223.4.36/32, 10.223.4.37/32]
var LAN [192.168.1.0/24]

pass tcp $LAN any -> $NET1 1697 ( sid: 1300068; rev: 2;)
pass tcp $Net1 1697 -> $LAN any ( sid: 1300069; rev: 2; flags: !S;)

alert udp any any > any any ( sid: 1000001; rev: 2; msg: catchalludp;)
alert tcp any any > any any ( sid: 1000002; rev: 1; msg: catchalltcp;)
-----

in my configfile are much more passrules like the 2 above. 
some of them work correctly, some not. 
the one i posted, does not trigger. i get alerts from the whole traffic

[**] [1:1000002:1] catchalltcp [**]
[Priority: 0]
08/12-16:36:40.387892 10.223.4.36:1697 -> 192.168.1.189:3002
TCP TTL:123 TOS:0x0 ID:17723 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x8DA043AC  Ack: 0xA9C6B679  Win: 0xF910  TcpLen: 20

[**] [1:1000002:1] catchalltcp [**]
[Priority: 0]
08/12-16:36:40.582898 192.168.1.189:3002 -> 10.223.4.36:1697
TCP TTL:125 TOS:0x0 ID:55351 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xA9C6B679  Ack: 0x8DA043B7  Win: 0xF71A  TcpLen: 20


can some of you tell me, there the problem is ?

thx 
andreas



More information about the Snort-sigs mailing list