[Snort-users] Trouble with pass rule

Carl lists at ...9056...
Mon Apr 28 15:04:32 EDT 2003


Am I just stupid, or what?


I am getting a bunch of false positives on CID 1322:

alert ip $EXTERNAL_NET any -> $HOME_NET any ( sid: 1322; rev: 4; msg: "BAD TRAFFIC bad frag bits"; fragbits: MD; classtype: misc-activity;)

The systems:
uname -a output (LVS kernel from ultramonkey.org):
Linux penguin 2.4.18-27.8.0.um.1 #1 Thu Mar 20 14:02:22 JST 2003 i686 i686 i386 GNU/Linux

Snort 2.0.0
SnortCenter v1.0 (beta)
ACID v0.9.6b23


The variable settings:

var HOME_NET [192.168.0.0/24,10.27.0.0/16]
var EXTERNAL_NET any

Example alert (from /var/log/snort/alert):

[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
04/28-17:50:18.327281 10.27.13.211 -> 10.27.255.255
UDP TTL:64 TOS:0x0 ID:30423 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x0172   Frag Size: 0x0014


I added the following pass rule, and set snort to run with the -o flag:

var EPP_CHATTERS 10.47.0.0/16

pass ip $EPP_CHATTERS any -> $HOME_NET any ( sid: 1000001; rev: 7; fragbits: MD;)


But I still get the alerts. The traffic is a local application protocol that uses large UDP datagrams
that get fragmented into 1500-bytes IP packets (plus one for the leftover). All but the final
leftover have the DF and MF flags set, as shown in the alert. The final has DF only, and isn't
alerting.

I also removed CID 521 (MISC Large UDP Packet) which this was triggering as well.

As you can see (rev: 7), I tried a few things, like making it UDP vs. IP, adding the UDP
ip_proto: 17, stuff like that.

Any ideas? I can send more traces if that helps. Although some of the packets have
sensitive data, I can try to black it out.

Thanks.

Carl





More information about the Snort-users mailing list