[Snort-users] Some alerts look like aggregated TCP sessions...

Chris Green cmg at ...1935...
Tue Aug 27 18:16:04 EDT 2002


Jason Haar <Jason.Haar at ...294...> writes:

> I've noticed a certain class of false positives for some time, but have just
> realised what was wrong with them.
>
> I'm getting "buffer overflow" class alerts that actually look like they are
> several packets in one!

This is a stream of packets and an artifact of how stream reassembly
is done.

>
> e.g.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
> attempt"; flags:A+; dsize:>100; content:"USER "; nocase;
> reference:bugtraq,4638; classtype:attempted-admin; sid:1734; rev:4;)

This has been changed in the 1.9 series.  Now, a dsize check
implicitly means it refers to a REAL packet matching this size.
>
> ..and a *packet* (as logged in the MySQL DB - not seen live) that triggers
> it...
>
> USER myname..PASS xxyy11..PWD..CWD /pub..PWD..CWD incoming..TYPE I..PORT 10,0,1,2
>
> Now: everywhere there's a ".." is just the SQL ints way of expressing "CRLF"
> pairs, but from my reckoning of how FTP works, the above log is actually 8
> separate packets - not one! Also I note that there's no reply traffic in
> there - just the sent traffic...
>
> Any ideas? Either snort is doing something weird, or someone's running some
> form of streamed FTP client that pipelines several commands into one
> packet..?

Thats the snort stream reassembler.

If you are logging to pcap, it will also log the REAL packets to the
log.tcpdump

Cheers,
Chris
-- 
Chris Green <cmg at ...1935...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-users mailing list