[Snort-users] Is there a problem with Linux 2.4.0?

Victor Barahona victor.barahona at ...700...
Fri Jan 12 05:40:14 EST 2001

Hash: SHA1

On Thursday 11 January 2001 21:16, Jason Haar wrote:
>I just upgraded my snort box to 2.4.0 yesterday, and I've come in this
>morning to find a whole bunch of alerts about my snort box generating
>"probe-Queso Fingerprint attempt" and that it's portscanning other hosts
>every few minutes.
>I'm wondering if the IP Stack has changed in some way that causing these?
> I have figured out that applications I was using fine before the upgrade
> are responsible for these new alerts (e.g. fetchmail now causes snort to
> report a portscan of "SYN 12****S* RESERVEDBITS").

I notice that in Nov with 2.4.0pre9 I think found the kernel option 
responsible of that behavior. Below is the aswer to myself I send to the 

I hope it help you.

- --------------------------------------------------------------------------
Re: [Snort-users] snort and kernel 2.4-test9 problems
Date: Fri, 3 Nov 2000 11:30:28 +0100
From: Victor Barahona <victor.barahona at ...700...>
To: victor.barahona at ...700...
Reply to: victor.barahona at ...700...

Hello again

Since no one had notice about this y began to look for the kernel option 
responsible of this weird behavior. Finally I found it, the problem apear 
to the "Network Option/IP:TCP Explicit Congestion Notification support".

I put this option on, just to try, in both machines with the new kernel. 
If this option get popularity then something has to be chage in the 
spp_portscan plugin. Otherway will be totally unusable.

Just FYI


>Size I upgrade to kernel 2.4-test9 the spp_portscan plugin is getting me
>crazy. Every single time I open a TCP connection I have a line like this:
>Oct 26 13:10:29 xxx.xxx.xxx.22:3715 -> xxx.xxx.xxx.63:113 SYN 12****S*
>Oct 26 13:11:04 xxx.xxx.xxx.63:44853 -> xxx.xxx.xxx.22:8000 SYN 12****S*
>Oct 26 13:11:04 xxx.xxx.xxx.22:8000 -> xxx.xxx.xxx.63:44853 UNKNOWN
>Oct 26 13:11:04 xxx.xxx.xxx.22:3716 -> xxx.xxx.xxx.63:113 SYN 12****S*
>Oct 26 13:11:42 xxx.xxx.xxx.63:44854 -> xxx.xxx.xxx.242:110 SYN 12****S*
>Oct 26 13:13:42 xxx.xxx.xxx.63:44855 -> xxx.xxx.xxx.242:110 SYN 12****S*
>Oct 26 13:13:44 xxx.xxx.xxx.63:44856 -> xxx.xxx.xxx.242:21 SYN 12****S*
>Oct 26 13:13:47 xxx.xxx.xxx.63:44856 -> xxx.xxx.xxx.242:21 SYN 12****S*
>This behavior is happening only in the two only machines with 2.4-test9
>kernel (63 and 22). Note in the third line of the log the aswer of 22 to
> a petition form 63 the flags are quite extrage.
>The logs are huge, and now the trees does not let me to see the forest.
>Fortunately this is not happening with web connections, maybe because the
>http preprocessor.
>Has anybody find the same problem? Has chage samething in the new kernels
>in that way? Maybe something will have to be rewritten in ssp_portscan
>- -Victor.
- ----------------------------------------------------------------------------

- -- 
"Alone? you are not alone, Bigbrother is watching you"

- ------------------------------------------------------------------------
Soporte Seguridad en red........................http://www.utc.uam.es/ss
Unidad Tecnica de Comunicaciones...................http://www.utc.uam.es
Universidad Autonoma de Madrid.........................http://www.uam.es
Tlf.- 91 397 5525                                      PGP ID-0x8750AB79
- ------------------------------------------------------------------------

Version: PGP 6.5.1i


More information about the Snort-users mailing list