[Snort-users] Making sense out of captured packets
s_i_d_j at ...131...
Wed Mar 28 23:11:07 EST 2001
I am still trying to find out but i can't push hard because the boxes belong
to the client (we are a data centre). Though, nmap shows destination to be a
WinNT running Checkpoint and the source to be an IP in the Akamai's IP pool.
The alerts have stopped now and the customer didn't suffer any outages (he's
doing his own security so i can't nose in) so i guess it was encrypted
----- Original Message -----
From: "Martin Roesch" <roesch at ...421...>
To: "Neil Dickey" <neil at ...1633...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, March 27, 2001 6:51 AM
Subject: Re: [Snort-users] Making sense out of captured packets
> Here's my $0.02: that's either a binary/graphic or encrypted traffic.
> :) What were the source/dest ports?
> Neil Dickey wrote:
> > "Siddhartha Jain" <s_i_d_j at ...131...> wrote asking:
> > >I got a IDS247/dos-large-udp alert. I am running Snort with the -C
> > >i capture the packet payload also. But how do i make sense out of the
> > >payload to figure out whether its a real DOS or a false positive? Here
> > >sample:-
> > >.G..........]....d...Fn............m...<.d.Ce^...r.....S.~...?a.
> > [ ... ]
> > Here's my $0.02:
> > It can be very difficult to tell what those large packets actually are,
> > one has to know the larger context in which they are being sent in order
> > a decision. For instance, I see this sort of alert frequently -- with
> > captures which contain the same gibberish as do yours -- when one of our
> > users starts up an on-line "radio" and starts listening to music. I
> > lots of icmp type-8 packets which trip the alert, but these contain all
> > None of these appear to be an attack in any form.
> > In my experience, the "large packet" rules give lots of false positives;
> > unless you're getting flooded with these and the nature of the source
> > machines don't make sense ( e.g.: on-line music site/student known to
> > then I expect these alerts are not significant.
> > Best regards,
> > Neil Dickey, Ph.D.
> > Research Associate/Sysop
> > Geology Department
> > Northern Illinois University
> > DeKalb, Illinois
> > 60115
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Martin Roesch
> roesch at ...421...
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the Snort-users