[Snort-users] Snort and SysLogging, warning

Don Don at ...5881...
Thu Jun 20 17:00:02 EDT 2002


here's something for all of us to note

let me give you a scenario
multiple snort sensors, scattered throughout, on varying networks, all, of
course, rcvng variety of alerts, suddenly, i notice one sensor, getting tons
of alerts, the tcpdump on this sensor, indicates that this system has been
compromised somehow, hmm, hopefully not, but, i kept investigating, to find,
all the alerts, appear to be being prompted by the syslog, sensor A reports
to syslog at ...780...(B), sensor @host(B) alerts since it see's traffic with the
exact content it is designed to alert on, so, when sensor A alerts to say a
web-iis script access or sa login failed, it sends the syslog message to
syslog on host B, host B reads the syslog message and logs it accordingly,
and, at the same time, snort sensor on host B reads the same message as an
attack of the same type, and therefore, prompts an alert. what makes this
hard, is, i run snort in tcpdump and -s for remote syslog, so, when i try to
output the dump file to an alert structure, it just hangs, seems to never
finish, while one file under host(B) address in the alert dir structure,
continues to climb in size, for one tcpdump, the size continued to climb
until i ran out of drive space, then everything stopped. so i tried another
file, and it did basically the same thing, how i finally found this, was to
start the snort sensor on the host in question, let it run for about 5
minutes, then perform the extraction, resulting in the finding of something
like this

.W.....V....I.n.
s.e.r.t. .i.n.t.
o. .S.y.s.l.o.g.
d. .(.M.S.G.D.A.
T.E.,. .M.S.G.T.
I.M.E.,. .M.S.G.
P.R.I.O.R.I.T.Y.
,. .M.S.G.H.O.S.
T.N.A.M.E.,. .M.
S.G.T.E.X.T.). .
V.a.l.u.e.s. .(.
'.2.0.0.2.-.0.6.
-.2.0.'.,. .'.1.
6.:.3.1.:.2.2.'.
,. .'.A.u.t.h...
A.l.e.r.t.'.,. .
'.6.4...1.6.3...
7.0...2.1.'.,. .
'. . . .s.n.o.r.
t.[.2.3.9.2.].:.
 .[.1.:.1.2.9.5.
:.4.]. .N.E.T.B.
I.O.S. .n.i.m.d.
a. .R.I.C.H.E.D.
2.0...D.L.L. .[.
C.l.a.s.s.i.f.i.
c.a.t.i.o.n.:. .
P.o.t.e.n.t.i.a.
l.l.y. .B.a.d. .
T.r.a.f.f.i.c.].
 .[.P.r.i.o.r.i.
t.y.:. .2.].:. .
{.T.C.P.}. .6.4.

this is from the tcp2209-139.ids file under my ip directory. as you can see,
snort seems to be alerting on its own alerts, since of course, it does see
the exact traffic it is designed to alert upon
anyway, i'm just passing this bit along, since it had me really stumped for
a bit, i was disconnecting things from the network til i realized this.
altho, i am still a bit confused about a few things, i think this is what
has happened., any objections.

Don





More information about the Snort-users mailing list