[Snort-users] Making sense out of captured packets

Siddhartha Jain s_i_d_j at ...131...
Wed Mar 28 23:11:07 EST 2001


I am still trying to find out but i can't push hard because the boxes belong
to the client (we are a data centre). Though, nmap shows destination to be a
WinNT running Checkpoint and the source to be an IP in the Akamai's IP pool.
The alerts have stopped now and the customer didn't suffer any outages (he's
doing his own security so i can't nose in) so i guess it was encrypted
traffic.

Siddhartha

----- Original Message -----
From: "Martin Roesch" <roesch at ...421...>
To: "Neil Dickey" <neil at ...1633...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, March 27, 2001 6:51 AM
Subject: Re: [Snort-users] Making sense out of captured packets


> Here's my $0.02: that's either a binary/graphic or encrypted traffic.
> :)  What were the source/dest ports?
>
>     -Marty
>
> Neil Dickey wrote:
> >
> > "Siddhartha Jain" <s_i_d_j at ...131...> wrote asking:
> >
> > >I got a IDS247/dos-large-udp alert. I am running Snort with the -C
option so
> > >i capture the packet payload also. But how do i make sense out of the
> > >payload to figure out whether its a real DOS or a false positive? Here
is a
> > >sample:-
> >
>---------------------------------------------------------------------------
-
> > >.G..........]....d...Fn............m...<.d.Ce^...r.....S.~...?a.
> >
> > [ ... ]
> >
> > Here's my $0.02:
> >
> > It can be very difficult to tell what those large packets actually are,
because
> > one has to know the larger context in which they are being sent in order
to make
> > a decision.  For instance, I see this sort of alert frequently -- with
packet
> > captures which contain the same gibberish as do yours -- when one of our
local
> > users starts up an on-line "radio" and starts listening to music.  I
also get
> > lots of icmp type-8 packets which trip the alert, but these contain all
zeros.
> > None of these appear to be an attack in any form.
> >
> > In my experience, the "large packet" rules give lots of false positives;
so,
> > unless you're getting flooded with these and the nature of the source
and target
> > machines don't make sense ( e.g.: on-line music site/student known to
you ),
> > then I expect these alerts are not significant.
> >
> > Best regards,
> >
> > Neil Dickey, Ph.D.
> > Research Associate/Sysop
> > Geology Department
> > Northern Illinois University
> > DeKalb, Illinois
> > 60115
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list