[Snort-users] detect that shouldn't be detected!

Daniel Lopez dlopez at ...6134...
Fri Aug 2 03:19:03 EDT 2002


Well, I went to check my "alert" file generated by the -A fast option.
This is the line that I got:

08/01-17:12:45.525894 [**] [113:2:1] spp_frag2: Teardrop attack [**]
{UDP} 10.50.1.130 -> 10.50.0.160

So, it seems it detects the Teardrop attack when it goes from my home
network to the external network.
Any idea? :-/


> -----Original Message-----
> From: Tom Sevy [mailto:tsevy at ...1701...]
> Sent: Friday, August 02, 2002 2:54 AM
> To: 'Daniel Lopez'
> Subject: RE: [Snort-users] detect that shouldn't be detected!
>
>
> I am not familiar with the 'tear' DoS, but if it is
> monitoring UDP as it
> indicates in the rule, is it possible that you are being
> alerted by the udp
> response?
>
> -----Original Message-----
> From: Daniel Lopez [mailto:dlopez at ...6134...]
> Sent: Thursday, August 01, 2002 7:03 PM
> To: Tom Sevy
> Subject: RE: [Snort-users] detect that shouldn't be detected!
>
>
> Yes, but my HOME_NET is still set to 10.50.1.0/24. So, even if my home
> network address is included in the EXTERNAL variable because I'm using
> any, I'm launching the attack from 10.50.1.x -> 10.50.0.X
>
> 10.50.0.x is not an IP address that belongs to my Home network.
> Am I still missing something? :-/
>
>
> > That is right.  Because 10.50.1.0 is included in your
> EXTERNAL network
> > (any).
> >
> > Try changing EXERNAL_NET to !$HOME_NET
> >
> >
> > -----Original Message-----
> > From: Daniel Lopez [mailto:dlopez at ...6134...]
> > Sent: Thursday, August 01, 2002 4:49 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] detect that shouldn't be detected!
> >
> >
> > Hello,
> >
> > Currently, I'm doing some tests on Snort. I'm using two LANs. One
> > recreates the External network. The network address is:
> 10.50.0.0/24.
> > The second LAN is my home network. The network address is:
> > 10.50.1.0/24
> > They are interconnected via a router. I wanted to be able to
> > get attacks
> > going from the External network to my Home network, and
> attacks going
> > from my Home network to the other computers in my Home network.
> > The SNORT box is in the home network. Computers and SNORT box are
> > connected through a HUB. I configured the HOME_NET and EXTERNAL_NET
> > variables as follows:
> >
> > HOME_NET 10.50.1.0/24
> >
> > EXTERNAL_NET any
> >
> > However, when I launch an attack (Teardrop, NewTear) from my home
> > network to the external network, SNORT detects it!! If I look the
> > Teardrop rule, it is written this way:
> >
> > [...] $EXTERNAL_NET -> $HOME_NET [...]
> >
> > Thus, it only will be applied for traffic that goes from the
> > External_Net to the Home_Net!
> > I don't understand how it can detect it if the attack goes
> > from my home
> > network to the external network. Did I miss something?
> >
> > Thanks in advance for your help!
> > Daniel Lopez
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>





More information about the Snort-users mailing list