[Snort-users] Question -- spp_stream4 STEALTH ACTIVITY (unknown) detection

Matt Yackley Matt.Yackley at ...5858...
Tue Apr 1 10:48:02 EST 2003


Good afternoon all,

I'm testing 2.0.0rc1 and have been receiving quite a few of these type of
alerts:

----------------------------------------------------------------------------
--
#(4 - 784) [2003-03-31 15:34:21] [snort/1]  (spp_stream4) STEALTH ACTIVITY
(unknown) detection
IPv4: 216.95.201.24 -> x.x.x.x
      hlen=5 TOS=0 dlen=60 ID=56669 flags=0 offset=0 TTL=50 chksum=11649
TCP:  port=51994 -> dport: 25  flags=21****S* seq=1192978509
      ack=0 off=10 res=0 win=5840 urp=0 chksum=5562
      Options:
       #1 - MSS len=2 data=
       #2 - SACKOK len=0
       #3 - TS len=8 data=07265B6D0000
       #4 - NOP len=0
       #5 - WS len=1 data=(null)
Payload: none
----------------------------------------------------------------------------
--
#(4 - 768) [2003-03-31 15:21:31] [snort/1]  (spp_stream4) STEALTH ACTIVITY
(unknown) detection
IPv4: 216.95.201.37 -> x.x.x.x
      hlen=5 TOS=0 dlen=60 ID=63292 flags=0 offset=0 TTL=50 chksum=5013
TCP:  port=39860 -> dport: 25  flags=21****S* seq=727569648
      ack=0 off=10 res=0 win=5840 urp=0 chksum=52402
      Options:
       #1 - MSS len=2 data=
       #2 - SACKOK len=0
       #3 - TS len=8 data=072982E50000
       #4 - NOP len=0
       #5 - WS len=1 data=(null)
Payload: none
----------------------------------------------------------------------------
--
#(4 - 766) [2003-03-31 15:17:51] [snort/1]  (spp_stream4) STEALTH ACTIVITY
(unknown) detection
IPv4: 216.95.201.36 -> x.x.x.x
      hlen=5 TOS=0 dlen=60 ID=10827 flags=0 offset=0 TTL=50 chksum=57479
TCP:  port=35037 -> dport: 25  flags=21****S* seq=79473935
      ack=0 off=10 res=0 win=5840 urp=0 chksum=40109
      Options:
       #1 - MSS len=2 data=
       #2 - SACKOK len=0
       #3 - TS len=8 data=072814460000
       #4 - NOP len=0
       #5 - WS len=1 data=(null)
Payload: none
----------------------------------------------------------------------------
--
#(4 - 765) [2003-03-31 15:16:27] [snort/1]  (spp_stream4) STEALTH ACTIVITY
(unknown) detection
IPv4: 209.47.197.12 -> x.x.x.x
      hlen=5 TOS=0 dlen=60 ID=55869 flags=0 offset=0 TTL=50 chksum=15325
TCP:  port=42356 -> dport: 25  flags=21****S* seq=531210803
      ack=0 off=10 res=0 win=5840 urp=0 chksum=23569
      Options:
       #1 - MSS len=2 data=
       #2 - SACKOK len=0
       #3 - TS len=8 data=0A5E304C0000
       #4 - NOP len=0
       #5 - WS len=1 data=(null)
Payload: none

99.5% are from connections going to my SMTP server, but I have seen one or
two from HTTP traffic.  I have searched the past emails from this list and
Google but did not find out any useful information on these alerts.  I'm not
sure what is triggering these alerts, any ideas? 

Thanks,
Matt


>>Config info<<

OS: Redhat Linux 7.3
Snort: 2.0.0rc1 Build 61
CPU: PII 400
RAM: 256

Started via: snort -d -i eth0 -c /etc/snort/snort.conf
 
snort.conf [removed all commented lines]
#--------------------------------------------------
#   http://www.snort.org     Snort 2.0.0 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# $Id: snort.conf,v 1.119 2003/03/28 14:36:05 chrisgreen Exp $
#

var HOME_NET x.x.x.x/26

var EXTERNAL_NET !$HOME_NET

var DNS_SERVERS x.x.x.x

var SMTP_SERVERS x.x.x.x

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort

config disable_ttcp_alerts

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

output database: log, mysql, user=x password=x dbname=x host=x sensor_name=x

include classification.config

include reference.config

include bad-traffic.rules
include exploit.rules
include scan.rules
include ftp.rules
include telnet.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules

include web-cgi.rules
include web-iis.rules
include web-misc.rules
include web-client.rules

include sql.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include snmp.rules

include smtp.rules

include nntp.rules
include other-ids.rules
include web-attacks.rules
include backdoor.rules
include local.rules




More information about the Snort-users mailing list