[Snort-users] Some alerts look like aggregated TCP sessions...

Jason Haar Jason.Haar at ...294...
Tue Aug 27 17:54:29 EDT 2002


I've noticed a certain class of false positives for some time, but have just
realised what was wrong with them.

I'm getting "buffer overflow" class alerts that actually look like they are
several packets in one!

e.g.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
attempt"; flags:A+; dsize:>100; content:"USER "; nocase;
reference:bugtraq,4638; classtype:attempted-admin; sid:1734; rev:4;)

..and a *packet* (as logged in the MySQL DB - not seen live) that triggers
it...

USER myname..PASS xxyy11..PWD..CWD /pub..PWD..CWD incoming..TYPE I..PORT 10,0,1,2

Now: everywhere there's a ".." is just the SQL ints way of expressing "CRLF"
pairs, but from my reckoning of how FTP works, the above log is actually 8
separate packets - not one! Also I note that there's no reply traffic in
there - just the sent traffic...

Any ideas? Either snort is doing something weird, or someone's running some
form of streamed FTP client that pipelines several commands into one packet..?

Snort-1.8.7 under RH Linux, with following options:

preprocessor frag2
preprocessor stream4: disable_evasion_alerts, detect_scans, timeout 30,
 memcap 8388608 ttl_limit 0
preprocessor stream4_reassemble: noalerts, both, ports 21 23 25 53 80 3128
 143 110 111 513
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list