[Snort-users] Possible Queso Fingerprint attempt?

Ookhoi ookhoi at ...1580...
Thu Mar 15 06:43:01 EST 2001

Hi Aaron,

> We have noticed something very much the same. The offending Possible
> Queso Fingerprint was coming from a linux org in Virginia. Now we know
> this particular system has not been compromised but every time one of
> our users get mail from their list snort sees it at a Possible Queso
> Fingerprint.
> Kind of a drag since they tend to send 50 to 100 messages to the list
> members a day and logging that and checking up on it sucks.
> Let me know if you find a solution and I will pass it on to the system I am
> talking about.

I found out this is a bug in snort and a know one too. Dunno what a
solution is, sorry. The reason a connect from a linux server triggers
the Queso Fingerprint Attempt rule is that linux has a feature called
ecn. Read more about it on http://www.sans.org/y2k/ecn.htm


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ookhoi
> Sent: Tuesday, March 13, 2001 1:01 PM
> To: snort-users at lists.sourceforge.net; postfix-users at ...1581...
> Cc: snort-devel at lists.sourceforge.net
> Subject: [Snort-users] Possible Queso Fingerprint attempt?
> Hi!
> Our ISP blocked our webserver for a while because (a) Company mailed
> that they were portscanned by us according to their hereby included
> snort log.
> Now we don't portscan of course, and can't find proof of a break in
> (maybe somebody else wanted to do us a favor and do a portscan for us ;-)
> And besides, in the snort log only a scan at port 25 is mentioned at two
> of their servers, which happen to be both mail gateways.
> According to the database on the webserver, someone from Company
> subscribed to a forum on our site early this month. The forum sents out
> mails every morning, and thus also to the two mail gateways.
> According to our mail logs, our mailserver delivered mails to the mail
> gateways at the days mentioned in the snort log, but not at the same
> time as the scans.
> Our mailserver is postfix, and we use linux kernel 2.4 with ecn enabled.
> Can it be that postfix tried to deliver mail and that snort somehow
> found the tcp connection to be mangled in some way?
> I read that a Queso Fingerprint works by changing some things in the tcp
> packets.
> Will snort abort the connection when it detects a Queso Fingerprint, or
> does it only log the attempt?
> I searched the Internet and my postfix archives for something similar
> but didn't succeed. Didn't look in the snort archives.
> I appreciate all your thoughts, tips, advisories and even flames and
> rtfms :-)
> Please cc me when you do so, as I can't keep up with the postfix
> mailinglist, and barely with the snort mailinglist..
> Thanx!
> 	Ookhoi
> victim-ip1 and victim-ip2 are the mail gateways of Company.
> our-server-ip is our server. :-)
> Mar 11 06:49:41 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 11 06:49:41 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:46173 -> [victim-ip1]:25
> Mar 11 06:49:45 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 11 06:49:49 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 11 06:53:18 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)


More information about the Snort-users mailing list