[Snort-users] false alerts

Phil Wood cpw at ...440...
Thu Jan 24 13:17:08 EST 2002


On Thu, Jan 24, 2002 at 11:22:52AM +1100, support wrote:
> I have am having a problem with snort ...
> I apologize in advance for the nature of the question , however...
> When running Snort 1.8.3 in daemon mode with no output modules I am
> receiving false alerts from my internal network. Below is an excerpt from my
> logs
> 
> "
> Jan 24 10:23:46 proxy snort[12568]: [1:618:1] INFO - Possible Squid Scan
> [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
> 192.168.0.10:1387 -> 192.168.0.8:3128
> Jan 24 10:23:49 proxy snort[12568]: [1:618:1] INFO - Possible Squid Scan
> [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
> 192.168.0.10:1388 -> 192.168.0.8:3128
Well, let's take a look at the rule:

% grep "Possible Squid Scan" *.rules
scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"INFO - Possible Squid Scan"; flags:S; classtype:attempted-recon; sid:618; rev:1;)

If this is not the rule than delete this message.  Otherwise, there is not
much meat to this rule.  The TCP packet would have to be directed at your 
HOME_NET and be the first (SYN) of the connection establishment phase trying
to contact a "service" on port 3128.  This can happen with FTP file transfers
initiated by a host on your HOME_NET (unless you inforce passive mode).
However, you should check that the value of your HOME_NET and EXTERNAL_NET
are not "any".  Your snort.conf should have the following two lines defined:

var HOME_NET [192.168.0.0/24]

var EXTERNAL_NET !$HOME_NET

The above is assuming that your home net is 192.168.0.0/24.

> "
> The snort.conf file is from version 1.8.1 and defines the internal network
> both in HOME_NET and within the preprocessor portscan-ignorehosts
> Any suggestions would be greatly appreciated.
> 
> David
> 
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list