[Snort-users] 1.8.6 problem: Misdetection and hangup

Chris Green cmg at ...1935...
Tue Jun 4 07:32:10 EDT 2002


Jesus Couto <jesus.couto at ...3830...> writes:

> Hi,
>
> This is the setup: A RH 7.2 machine running snort 1.8.6, 2 interfaces,
> the one we are listening to eth1 connected to a hub with another 2
> machines, 192.168.100.1 (the "attacker") and 192.168.100.3 (the
> "victim").
>
> Problem: Launching some simple portscanning attacks like
>
>     nmap -sT -p 1-40000 -r 192.168.100.3
>
> from the attacker machine gets reported as "MISC source route lssr" by
> snort in IDS mode, and after reporting the first 3000-4000 events,
> snort hangs completly.

Hrm odd.  Using 1.8.7-current

06/04-10:26:16.307146  [**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2] {ICMP}
10.1.1.52 -> 10.1.1.72

06/04-10:26:16.627530  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 10.1.1.52 (THRESHOLD 4 connections exceeded in 0 seconds) [**] 
06/04-10:26:16.712279  [**] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.1.52:57906 -> 10.1.1.72:1080
06/04-10:26:17.409593  [**] [1:620:2] SCAN Proxy (8080) attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.1.52:64906 -> 10.1.1.72:8080
06/04-10:26:18.567241  [**] [1:249:1] DDOS mstream client to handler [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 10.1.1.52:55573 -> 10.1.1.72:15104
06/04-10:26:20.158005  [**] [100:2:1] spp_portscan: portscan status from 10.1.1.52: 4808 connections across 1 hosts: TCP(4808), UDP(0) [**] 
>
> Not only the packets dont have the lssr option anywhere, as checked by
> using Ethereal, but snort in sniffer mode also shows them to be
> without options, and the logging of the packets by snort at the ACID
> console shows the packet having a few other options (TS) but nothing
> about source routing.
>
> Any ideas? If more info is needed to debug it just tell me what you
> need.

Send me a pcap of this scan happening if you would please if snort
hangs up again.  .... Mostly ok here...



-- 
Chris Green <cmg at ...1935...>
To err is human, to moo bovine.




More information about the Snort-users mailing list