[Snort-users] tfn2k snort alert at whitehats.com

Brian Caswell bmc at ...312...
Mon Oct 16 12:51:50 EDT 2000


Erick Arturo Perez Huemer wrote:
> Every time snort-update checks whitehats.com for a new signature file, SNORT
> logs an ISD427 (tfn2k tcp possible communication)
> Here is the auth.log dump:
> Oct 16 08:01:16 thor snort[17186]: IDS427/tfn2k-tcp_possible_communication:
> 199.181.107.23
> Oct 16 09:01:11 thor snort[17326]: IDS427/tfn2k-tcp_possible_communication:
> 199.181.107.23
> Oct 16 10:01:12 thor snort[17470]: IDS427/tfn2k-tcp_possible_communication:
> 199.181.107.23
> 
> Strange is that in my /var/log/snort there is no entry for that IP so no
> packets have been logged  and no actual packet data is available.
> 
> Is this normal or am i doing something wrong?

I'm suprised that those are the only entries you see.  Adding
whitehats.com and snort.org to your ignorehosts list would get rid of
those logs, but that means you are trusting whitehats.com and snort.org
to not attempt to break into your box.  (or people to spoof their IPs) 
What I would do would be to use a web proxy server, and ignore all
traffic to the proxy port on the proxy server from an internal IP
address.  Its a little bit safer.

Myself, I would not use an automated tool to download a ruleset from
somewhere that you did not control.  If the ruleset was broken, then you
just lost your IDS.  If someone malicious rewrote the arachnids ruleset,
then they just took out a few zillion IDSs out there.

Max & Marty, could you pgp sign each updated ruleset?  That provides at
least a little bit of added protection.  

-- 
Brian Caswell
The MITRE Corporation



More information about the Snort-users mailing list