[Snort-sigs] fault positives

Joshua Wright Joshua.Wright at ...196...
Wed Aug 13 05:58:14 EDT 2003


You used a lowercase "Net1" in your 2nd pass rule.  Tell Celine I said "Hi".

-Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright at ...196... 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

> command to start snort:  /usr/local/bin/snort -D -i eth1 -o -c 
> /root/snort/snort.eth1.conf;
> all preprocessors are disabled;
> 
> part of the configfile:
> 
> -----
> var NET1 [10.223.4.34/32, 10.223.4.35/32, 10.223.4.36/32, 
> 10.223.4.37/32]
> var LAN [192.168.1.0/24]
> 
> pass tcp $LAN any -> $NET1 1697 ( sid: 1300068; rev: 2;)
> pass tcp $Net1 1697 -> $LAN any ( sid: 1300069; rev: 2; flags: !S;)
> 
> alert udp any any > any any ( sid: 1000001; rev: 2; msg: catchalludp;)
> alert tcp any any > any any ( sid: 1000002; rev: 1; msg: catchalltcp;)
> -----
> 
> in my configfile are much more passrules like the 2 above. 
> some of them work correctly, some not. 
> the one i posted, does not trigger. i get alerts from the 
> whole traffic
> 
> [**] [1:1000002:1] catchalltcp [**]
> [Priority: 0]
> 08/12-16:36:40.387892 10.223.4.36:1697 -> 192.168.1.189:3002
> TCP TTL:123 TOS:0x0 ID:17723 IpLen:20 DgmLen:51 DF
> ***AP*** Seq: 0x8DA043AC  Ack: 0xA9C6B679  Win: 0xF910  TcpLen: 20
> 
> [**] [1:1000002:1] catchalltcp [**]
> [Priority: 0]
> 08/12-16:36:40.582898 192.168.1.189:3002 -> 10.223.4.36:1697
> TCP TTL:125 TOS:0x0 ID:55351 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0xA9C6B679  Ack: 0x8DA043B7  Win: 0xF71A  TcpLen: 20
> 
> 
> can some of you tell me, there the problem is ?
> 
> thx 
> andreas
> 
> 
> ---------------------------------------------- 
> Andreas Berndt 
> IT-Integration / IT-Security 
> DaimlerChrysler Services 
> Mobility Management GmbH 
> 10875 Berlin 
> Besucheradresse: 
> Linkstraße 2, 10785 Berlin 
> Phone:   +49 (0) 30-25 54-1838 
> Fax:        +49 (0) 30-2554-1829 
> Mobile:   +49 (0) 174-324 11 28 
> E-Mail:    studentmm08 at ...1755... 
> www.daimlerchryslerservices.com/mobility 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet
_072303_01/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list