[Snort-users] Some alerts look like aggregated TCP sessions...
cmg at ...1935...
Tue Aug 27 18:16:04 EDT 2002
Jason Haar <Jason.Haar at ...294...> writes:
> I've noticed a certain class of false positives for some time, but have just
> realised what was wrong with them.
> I'm getting "buffer overflow" class alerts that actually look like they are
> several packets in one!
This is a stream of packets and an artifact of how stream reassembly
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
> attempt"; flags:A+; dsize:>100; content:"USER "; nocase;
> reference:bugtraq,4638; classtype:attempted-admin; sid:1734; rev:4;)
This has been changed in the 1.9 series. Now, a dsize check
implicitly means it refers to a REAL packet matching this size.
> ..and a *packet* (as logged in the MySQL DB - not seen live) that triggers
> USER myname..PASS xxyy11..PWD..CWD /pub..PWD..CWD incoming..TYPE I..PORT 10,0,1,2
> Now: everywhere there's a ".." is just the SQL ints way of expressing "CRLF"
> pairs, but from my reckoning of how FTP works, the above log is actually 8
> separate packets - not one! Also I note that there's no reply traffic in
> there - just the sent traffic...
> Any ideas? Either snort is doing something weird, or someone's running some
> form of streamed FTP client that pipelines several commands into one
Thats the snort stream reassembler.
If you are logging to pcap, it will also log the REAL packets to the
Chris Green <cmg at ...1935...>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
More information about the Snort-users