[Snort-users] False PING NMAP TCP (still)

Steve Hutchins Steve.Hutchins at ...277...
Mon Aug 7 18:17:49 EDT 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill,

I'm glad you pointed this out, as over the last weekend someone has
been probing our firewall with an automated tool:

NAMED Iquery Probe
MISC-DNS-version-query

I have blocked the address at the external router.
Do you know of any way of fingerprinting the source box to
see if it is an F5 box? (I haven't tried nmap yet).

It makes you wonder what's going to happen as more and more
people buy these boxes and switch this probing feature on!

Can the user override the exclusion list or do the boxes
check centrally?

Regards
Steve
==============================================================

- -----Original Message-----
From: Bill Marquette [mailto:wlmarque at ...8...]
Sent: Tuesday, 8 August 2000 5:29 
To: Laurie Zirkle
Cc: Jim Forster; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] False PING NMAP TCP (still)




This is probably more F5 crap.  As if there wasn't enough of an
outcry about
demon.co.uk, F5 has to introduce a product that sends out
 version.bind, queries for "." and various other crap.  99% of our
VERSION.BIND
and "." queries these days are people using F5 products.
The last communication I had with them held an ominous (not quoted
verbatim,
just from memory):
     We are incorporating more "stealth" features into the F5 product
to get
around firewalls and IDS
Apparently those "stealth" features aren't working too well. 
Personally, (I
can't implement this policy, or I would) I'd just firewall out every
known F5 system on the net.  Global load balancing would be nice, but
do they
have to be so damn noisy about it?  Of course the replies I
got were "no, it's an _option_", apparently one that everyone turns
on *sigh*.

Laurie, fyi F5, BigIP and 3DNS, both I believe have an "exclusion
list" so you
should feel well within your rights to request to be excluded
from their load balancing methods.

- --Bill

From: Laurie Zirkle <lat at ...214...> on 08/07/2000 11:19 AM
>I pulled the 07272k.rules set from snort.org and restarted on this
>particular machine.  I'm still seeing what I'm told are false alarms
>for this one.

>Aug  7 11:13:09 milo.cns.vt.edu snort[15718]: IDS28 - PING NMAP TCP:
205.128.11.157:80 -> 198.82.247.98:53
>Aug  7 11:13:09 milo.cns.vt.edu snort[15718]: IDS28 - PING NMAP TCP:
205.128.11.157:53 -> 198.82.247.98:53
>------
>[**] IDS28 - PING NMAP TCP [**]
>08/07-11:13:09.459894 205.128.11.157:80 -> 198.82.247.98:53
>tcp TTL:44 TOS:0x0 ID:31206
>******A* Seq: 0x1C7   Ack: 0x0   Win: 0x578
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>[**] IDS28 - PING NMAP TCP [**]
>08/07-11:13:09.460034 205.128.11.157:53 -> 198.82.247.98:53
>tcp TTL:44 TOS:0x0 ID:31207
>******A* Seq: 0x1C8   Ack: 0x0   Win: 0x578
>------
>
>I had contacted the source last week when I saw this using the older
>rules from June, and received this response:
>
>The probes are sent from our geographic load balancing
>devices, trying to determine your proximity and latency to our
>different locations.  This is by design.



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOY6Nkmyzy/XzuUyvEQIzmwCePdA0gnMVgBRO2cVumz7dtZWuy2IAn2Cz
CfJX5F7LwPtCxg9w9scVOv7j
=+IXE
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list