[Snort-users] only ICMP packets!

Heyde Fritjof fritjof.heyde at ...5034...
Fri Feb 22 07:29:07 EST 2002


Hi there!

I hope this is not a drinking question! :)

I have snort (1.8.3) up and running on my Suse Linux mashine, sniffing on
the DSL-Device ppp0,
plus Acid is installed and running.

First question: I only get ICMP traffic. At least thats what ACID is
reporting.
Traffic Profile by Protocol is 100% ICMP.
Sounds a bit weird to me. Is this normal? Or do I have a false ACID conf?
Or is this a really dumb question! :)

Second question:
The ppp0 device is a virtual device for the DSL-Modem.
It is connnected to the TAE (Telefone-outlet) via eth1 (10MBit - Card) 
(eth1->DSL-Modem->TAE  physical-Order)
I think the way the packets take coming from the outside is:
->TAE->eth1->ppp0
Is it possible to sniff on the eth1 device?

My guess would be no, cause the ppp0 translates the tcp... packets into DSL
readable packets. So snort would not recognize any packets. Is this correct?

greets
Bydlo


-----Ursprüngliche Nachricht-----
Von: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Im Auftrag von Mark
Mason
Gesendet am: Freitag, 22. Februar 2002 15:24
An: 'Post, ME (Meint)'
Cc: 'snort-users at lists.sourceforge.net'
Betreff: RE: [Snort-users] bug?

I have also seen this with my set up. I don't believe it is a bug, more of a
false positive. I set up a pass rule for my workstation and it stopped (and
snort doesn't report my p0rn surfin either). :)


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Post, ME
(Meint)
Sent: Friday, February 22, 2002 2:52 AM
To: 'rdd at ...241...'
Cc: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] bug?


Hello,

I'm wondering whether the following incident is a bug or an oversight on my
part. I'd appreciate some feedback on this:

Yesterday I noticed in the ACID console that one individual was quite
adamant in poking my server. I decided to check if the logged IP address
hosted a website so I could gain more knowledge about the intruder. Upon
entering the website I was literally jumped by Nimda viruses, which was
dutifully logged by Snort as part of the web-misc rules. My anti-virus
software blocked the Nimda virus. From this moment on my ACID log filled
itself with warnings that my webserver was attempting to infiltrate me with
readme.eml attacks. Every time I requested an ACID page with the warning my
logs filled with 60-70 warnings concerning readme.eml attacks. My webserver
is a Linux machine and therefore not susceptible to Nimda. I don't have
Samba shares installed so the virus hasn't jumped to my work machine. I did
some extensive scanning with two anti-virus programs on my work machine and
both didn't find anything. I scanned my Linux server with two anti-virus
programs and they didn't find anything either.

My suspicion is that Snort is triggered to report a Nimda readme.eml attack
by the reporting of ACID on the first attack, i.e. it is a cacade of
warnings because every new warning generates a new Snort log entry. In other
words, the fact that Snort has logged the first Nimda attack is reported by
ACID. Snort detects the phrase "readme.eml" in the ACID report page and
registers a new attack (registering an attack from my webserver where the
acid pages are generated). This new attack is reported by ACID, causing new
warnings etc...

Is this a correct assumption on my part? If so will this be corrected in a
new version? Right now I have disabled Nimda warnings in the web-misc.rules
file but this is not an ideal solution.

Regards,

Meint

p.s. I like ACID a lot, keep up the good work!

 



==================================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
==================================================================
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.


==================================================================


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list