[Snort-users] false alarm with snort 2.0, why?

Holger Marzen holger at ...9053...
Mon Apr 28 11:41:11 EDT 2003


Snort 2.0 on Linux 2.2.16
-------------------------

I defined "regular" traffic with pass rules. Every other traffic goes to
a logfile. That worked perfectly with snort 1.6. Now I upgraded to snort
2.0 and onye or twice a day "regular" traffic is detected as bad
traffic. The http_decode preprocessor should't harm.

|var IDS   200.1.1.107/32   <- the machine running snort
|var MAIL  200.1.1.115/32
|var OTHERMACHINE 200.1.1.122/32
|preprocessor http_decode: 80 8080
|pass tcp $IDS any <> $MAIL 1984
|pass tcp $OTHERMACHINE any <> $MAIL 1984

Usually the traffic "$IDS any <> $MAIL 1984" is ignored/passed. But
sometimes I have log entries, although ther should be none. Maybe
because port 3306 ist the same like MySQL's default port? Maybe because
it's the machine running snort that produces the traffic?
$OTHERMACHINE's traffic is ignored correctly in the pass rules. Any
ideas?

|04/28-02:16:40.504494 0:1:96:DB:25:C0 -> 0:6:29:8F:21:27 type:0x800 len:0x4A
|200.1.1.115:1984 -> 200.1.1.107:3306 TCP TTL:63 TOS:0x0 ID:34326 IpLen:20 DgmLen:60
|DF
|***A**S* Seq: 0xB595C3E  Ack: 0x1F694F88  Win: 0x7D78  TcpLen: 40
|TCP Options (5) => MSS: 1460 SackOK TS: 50603162 50754946 NOP
|TCP Options => WS: 0
|
|=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|
|04/28-02:16:40.508592 0:1:96:DB:25:C0 -> 0:6:29:8F:21:27 type:0x800 len:0x42
|200.1.1.115:1984 -> 200.1.1.107:3306 TCP TTL:63 TOS:0x0 ID:34327 IpLen:20 DgmLen:52
|DF
|***A**** Seq: 0xB595C3F  Ack: 0x1F695071  Win: 0x7C8F  TcpLen: 32
|TCP Options (3) => NOP NOP TS: 50603162 50754947
|
|=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|
|04/28-02:16:40.511261 0:1:96:DB:25:C0 -> 0:6:29:8F:21:27 type:0x800 len:0x42
|200.1.1.115:1984 -> 200.1.1.107:3306 TCP TTL:63 TOS:0x0 ID:34328 IpLen:20 DgmLen:52
|DF
|***A**** Seq: 0xB595C3F  Ack: 0x1F695072  Win: 0x7D78  TcpLen: 32
|TCP Options (3) => NOP NOP TS: 50603163 50754947
|
|=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|
|04/28-02:16:40.512135 0:1:96:DB:25:C0 -> 0:6:29:8F:21:27 type:0x800 len:0x42
|200.1.1.115:1984 -> 200.1.1.107:3306 TCP TTL:63 TOS:0x0 ID:34329 IpLen:20 DgmLen:52
|DF
|***A***F Seq: 0xB595C3F  Ack: 0x1F695072  Win: 0x7D78  TcpLen: 32
|TCP Options (3) => NOP NOP TS: 50603163 50754947
|



-- 
PGP/GPG Key-ID:
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1




More information about the Snort-users mailing list