[Snort-users] Making sense out of captured packets

Martin Roesch roesch at ...421...
Mon Mar 26 20:21:31 EST 2001


Here's my $0.02: that's either a binary/graphic or encrypted traffic.
:)  What were the source/dest ports?

    -Marty

Neil Dickey wrote:
> 
> "Siddhartha Jain" <s_i_d_j at ...131...> wrote asking:
> 
> >I got a IDS247/dos-large-udp alert. I am running Snort with the -C option so
> >i capture the packet payload also. But how do i make sense out of the
> >payload to figure out whether its a real DOS or a false positive? Here is a
> >sample:-
> >----------------------------------------------------------------------------
> >.G..........]....d...Fn............m...<.d.Ce^...r.....S.~...?a.
> 
> [ ... ]
> 
> Here's my $0.02:
> 
> It can be very difficult to tell what those large packets actually are, because
> one has to know the larger context in which they are being sent in order to make
> a decision.  For instance, I see this sort of alert frequently -- with packet
> captures which contain the same gibberish as do yours -- when one of our local
> users starts up an on-line "radio" and starts listening to music.  I also get
> lots of icmp type-8 packets which trip the alert, but these contain all zeros.
> None of these appear to be an attack in any form.
> 
> In my experience, the "large packet" rules give lots of false positives; so,
> unless you're getting flooded with these and the nature of the source and target
> machines don't make sense ( e.g.: on-line music site/student known to you ),
> then I expect these alerts are not significant.
> 
> Best regards,
> 
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list