[Snort-users] Is there a problem with Linux 2.4.0?

Martin Roesch roesch at ...421...
Fri Jan 12 15:45:56 EST 2001


Note that I've just added modifications to the TOS plugin that allow
better detection of non-ECN reserved bit usage.  The rules that key on
the TCP reserved bits need to be modified to accomidate the new ECN/TOS
data that we can now focus on.

    -Marty

Victor Barahona wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thursday 11 January 2001 21:16, Jason Haar wrote:
> >I just upgraded my snort box to 2.4.0 yesterday, and I've come in this
> >morning to find a whole bunch of alerts about my snort box generating
> >"probe-Queso Fingerprint attempt" and that it's portscanning other hosts
> >every few minutes.
> >
> >I'm wondering if the IP Stack has changed in some way that causing these?
> > I have figured out that applications I was using fine before the upgrade
> > are responsible for these new alerts (e.g. fetchmail now causes snort to
> > report a portscan of "SYN 12****S* RESERVEDBITS").
> 
> I notice that in Nov with 2.4.0pre9 I think found the kernel option
> responsible of that behavior. Below is the aswer to myself I send to the
> list.
> 
> I hope it help you.
> 
> - --------------------------------------------------------------------------
> Re: [Snort-users] snort and kernel 2.4-test9 problems
> Date: Fri, 3 Nov 2000 11:30:28 +0100
> From: Victor Barahona <victor.barahona at ...700...>
> To: victor.barahona at ...700...
> Reply to: victor.barahona at ...700...
> 
> Hello again
> 
> Since no one had notice about this y began to look for the kernel option
> responsible of this weird behavior. Finally I found it, the problem apear
> to the "Network Option/IP:TCP Explicit Congestion Notification support".
> 
> I put this option on, just to try, in both machines with the new kernel.
> If this option get popularity then something has to be chage in the
> spp_portscan plugin. Otherway will be totally unusable.
> 
> Just FYI
> 
> Cheers.
> 
> >Size I upgrade to kernel 2.4-test9 the spp_portscan plugin is getting me
> >crazy. Every single time I open a TCP connection I have a line like this:
> >
> >Oct 26 13:10:29 xxx.xxx.xxx.22:3715 -> xxx.xxx.xxx.63:113 SYN 12****S*
> >RESERVEDBITS
> >Oct 26 13:11:04 xxx.xxx.xxx.63:44853 -> xxx.xxx.xxx.22:8000 SYN 12****S*
> >RESERVEDBITS
> >Oct 26 13:11:04 xxx.xxx.xxx.22:8000 -> xxx.xxx.xxx.63:44853 UNKNOWN
> >*2*A**S* RESERVEDBITS
> >Oct 26 13:11:04 xxx.xxx.xxx.22:3716 -> xxx.xxx.xxx.63:113 SYN 12****S*
> >RESERVEDBITS
> >Oct 26 13:11:42 xxx.xxx.xxx.63:44854 -> xxx.xxx.xxx.242:110 SYN 12****S*
> >RESERVEDBITS
> >Oct 26 13:13:42 xxx.xxx.xxx.63:44855 -> xxx.xxx.xxx.242:110 SYN 12****S*
> >RESERVEDBITS
> >Oct 26 13:13:44 xxx.xxx.xxx.63:44856 -> xxx.xxx.xxx.242:21 SYN 12****S*
> >RESERVEDBITS
> >Oct 26 13:13:47 xxx.xxx.xxx.63:44856 -> xxx.xxx.xxx.242:21 SYN 12****S*
> >RESERVEDBITS
> >
> >This behavior is happening only in the two only machines with 2.4-test9
> >kernel (63 and 22). Note in the third line of the log the aswer of 22 to
> > a petition form 63 the flags are quite extrage.
> >
> >The logs are huge, and now the trees does not let me to see the forest.
> >Fortunately this is not happening with web connections, maybe because the
> >http preprocessor.
> >
> >Has anybody find the same problem? Has chage samething in the new kernels
> >in that way? Maybe something will have to be rewritten in ssp_portscan
> >plugin.
> >
> >- -Victor.
> - ----------------------------------------------------------------------------
> 
> - --
> "Alone? you are not alone, Bigbrother is watching you"
> 
> - ------------------------------------------------------------------------
> Soporte Seguridad en red........................http://www.utc.uam.es/ss
> Unidad Tecnica de Comunicaciones...................http://www.utc.uam.es
> Universidad Autonoma de Madrid.........................http://www.uam.es
> Tlf.- 91 397 5525                                      PGP ID-0x8750AB79
> - ------------------------------------------------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.1i
> 
> iQA/AwUBOl7fDkoW8ByHUKt5EQKFFgCfQewL8zwLVcgk8lyQmBpUJ177sccAnjWS
> niYrG8iXqXyMYAZaDKWFFiBx
> =F58W
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list