[Snort-users] Making sense out of captured packets

Neil Dickey neil at ...1633...
Mon Mar 26 10:30:01 EST 2001


"Siddhartha Jain" <s_i_d_j at ...131...> wrote asking:

>I got a IDS247/dos-large-udp alert. I am running Snort with the -C option so
>i capture the packet payload also. But how do i make sense out of the
>payload to figure out whether its a real DOS or a false positive? Here is a
>sample:-
>----------------------------------------------------------------------------
>.G..........]....d...Fn............m...<.d.Ce^...r.....S.~...?a.

[ ... ]

Here's my $0.02:

It can be very difficult to tell what those large packets actually are, because
one has to know the larger context in which they are being sent in order to make
a decision.  For instance, I see this sort of alert frequently -- with packet
captures which contain the same gibberish as do yours -- when one of our local
users starts up an on-line "radio" and starts listening to music.  I also get
lots of icmp type-8 packets which trip the alert, but these contain all zeros.
None of these appear to be an attack in any form.

In my experience, the "large packet" rules give lots of false positives; so,
unless you're getting flooded with these and the nature of the source and target
machines don't make sense ( e.g.: on-line music site/student known to you ),
then I expect these alerts are not significant.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list