[Snort-users] Making sense out of captured packets

Martin Roesch roesch at ...421...
Fri Apr 6 18:15:22 EDT 2001


You could also try checking out Northcutt's new book, "Intrusion
Signatures and Analysis", it's available at Amazon etc.

   -Marty

Siddhartha Jain wrote:
> 
> I am still trying to find out but i can't push hard because the boxes belong
> to the client (we are a data centre). Though, nmap shows destination to be a
> WinNT running Checkpoint and the source to be an IP in the Akamai's IP pool.
> The alerts have stopped now and the customer didn't suffer any outages (he's
> doing his own security so i can't nose in) so i guess it was encrypted
> traffic.
> 
> Siddhartha
> 
> ----- Original Message -----
> From: "Martin Roesch" <roesch at ...421...>
> To: "Neil Dickey" <neil at ...1633...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Tuesday, March 27, 2001 6:51 AM
> Subject: Re: [Snort-users] Making sense out of captured packets
> 
> > Here's my $0.02: that's either a binary/graphic or encrypted traffic.
> > :)  What were the source/dest ports?
> >
> >     -Marty
> >
> > Neil Dickey wrote:
> > >
> > > "Siddhartha Jain" <s_i_d_j at ...131...> wrote asking:
> > >
> > > >I got a IDS247/dos-large-udp alert. I am running Snort with the -C
> option so
> > > >i capture the packet payload also. But how do i make sense out of the
> > > >payload to figure out whether its a real DOS or a false positive? Here
> is a
> > > >sample:-
> > >
> >---------------------------------------------------------------------------
> -
> > > >.G..........]....d...Fn............m...<.d.Ce^...r.....S.~...?a.
> > >
> > > [ ... ]
> > >
> > > Here's my $0.02:
> > >
> > > It can be very difficult to tell what those large packets actually are,
> because
> > > one has to know the larger context in which they are being sent in order
> to make
> > > a decision.  For instance, I see this sort of alert frequently -- with
> packet
> > > captures which contain the same gibberish as do yours -- when one of our
> local
> > > users starts up an on-line "radio" and starts listening to music.  I
> also get
> > > lots of icmp type-8 packets which trip the alert, but these contain all
> zeros.
> > > None of these appear to be an attack in any form.
> > >
> > > In my experience, the "large packet" rules give lots of false positives;
> so,
> > > unless you're getting flooded with these and the nature of the source
> and target
> > > machines don't make sense ( e.g.: on-line music site/student known to
> you ),
> > > then I expect these alerts are not significant.
> > >
> > > Best regards,
> > >
> > > Neil Dickey, Ph.D.
> > > Research Associate/Sysop
> > > Geology Department
> > > Northern Illinois University
> > > DeKalb, Illinois
> > > 60115
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > --
> > Martin Roesch
> > roesch at ...421...
> > http://www.snort.org
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list