[Snort-users] snort and kernel 2.4-test9 problems

Victor Barahona victor.barahona at ...700...
Thu Oct 26 07:37:17 EDT 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Size I upgrade to kernel 2.4-test9 the spp_portscan plugin is getting me 
crazy. Every single time I open a TCP connection I have a line like this:

Oct 26 13:10:29 xxx.xxx.xxx.22:3715 -> xxx.xxx.xxx.63:113 SYN 12****S* 
RESERVEDBITS
Oct 26 13:11:04 xxx.xxx.xxx.63:44853 -> xxx.xxx.xxx.22:8000 SYN 12****S* 
RESERVEDBITS
Oct 26 13:11:04 xxx.xxx.xxx.22:8000 -> xxx.xxx.xxx.63:44853 UNKNOWN 
*2*A**S* RESERVEDBITS
Oct 26 13:11:04 xxx.xxx.xxx.22:3716 -> xxx.xxx.xxx.63:113 SYN 12****S* 
RESERVEDBITS
Oct 26 13:11:42 xxx.xxx.xxx.63:44854 -> xxx.xxx.xxx.242:110 SYN 12****S* 
RESERVEDBITS
Oct 26 13:13:42 xxx.xxx.xxx.63:44855 -> xxx.xxx.xxx.242:110 SYN 12****S* 
RESERVEDBITS
Oct 26 13:13:44 xxx.xxx.xxx.63:44856 -> xxx.xxx.xxx.242:21 SYN 12****S* 
RESERVEDBITS
Oct 26 13:13:47 xxx.xxx.xxx.63:44856 -> xxx.xxx.xxx.242:21 SYN 12****S* 
RESERVEDBITS

This behavior is happening only in the two only machines with 2.4-test9 
kernel (63 and 22). Note in the third line of the log the aswer of 22 to a 
petition form 63 the flags are quite extrage.

The logs are huge, and now the trees does not let me to see the forest. 
Fortunately this is not happening with web connections, maybe because the 
http preprocessor.

Has anybody find the same problem? Has chage samething in the new kernels 
in that way? Maybe something will have to be rewritten in ssp_portscan 
plugin.

- -Victor.

- -- 
"Alone? you are not alone, Bigbrother is watching you"

- ------------------------------------------------------------------------
Victor Barahona..........................http://www.utc.uam.es/~barahona
Soporte Seguridad en red.................http://www.utc.uam.es/ss
Unidad Tecnica de Comunicaciones
Universidad Autonoma de Madrid
Tlf.- 91 397 5525                                      PGP ID-0x8750AB79
- ------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOfgXbUoW8ByHUKt5EQIV2wCfZbNIwNCABppQ0ZMUXhabn/rH920An061
Rg84QTWAzW3yVIOuBKWqxZyu
=C0o6
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list