[Snort-users] Bad Protocol?

Martin Roesch roesch at ...1935...
Mon Jan 6 08:13:05 EST 2003


This rule doesn't work because you can't stack ip_proto calls in a Snort
rule (today).  Disable it for now, I'm fixing the ip_proto detection plugin
as we speak...

     -Marty


On 1/6/03 10:13 AM, "Cloppert, Michael" <Michael.Cloppert at ...5884...> wrote:

> Mike, et. al.,
> 
> I was about to post a duplicate message - glad I checked my Snort folder
> first!
> 
> Here are the details of what I'm seeing:
> I get events logged as "BAD TRAFFIC Non-Standard IP protocol".  My Snort
> signature for this (sid=1620), as a sanity check, is:
> ---
> log ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP
> protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47;
> ip_proto:!50; ip_proto:!51; ip_proto:!89; classtype:non-standard-protocol;
> sid:1620; rev:2;)
> ---
> 
> Dumping one of the packets triggering this as tcpdump interprets it, I see:
> ---
> 22:49:10.175747 24.154.208.125.2534 > 204.90.1.66.443: . [tcp sum ok]
> 1078:1078(0) ack 7125 win 64191 (DF) (ttl 115, id 30015, len 40)
> 4500 0028 753f 4000 7306 dbdc xxxx xxxx
> yyyy yyyy 09e6 01bb 0cf9 3295 5212 5399
> 5010 fabf 0d86 0000 0000 0000 0000
> ---
> ..obviously, by the 0x06 in the 9th byte, this is TCP.  Surprisingly enough,
> when I look in my Snort database, I even see the "ip_proto" field in the
> "iphdr" table listed as "6"!  This means Snort is even reading the packet
> properly.  Why this is triggering is beyond me, but my burgeoning log files
> are becoming more than just a nuisance, as I have numerous packets like
> this.
> 
> Any help is welcome!!!
> 
> Mike
> 
>> -----Original Message-----
>> From: Mike Koponick [mailto:mike at ...7385...]
>> Sent: Sunday, January 05, 2003 12:30 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Bad Protocol?
>> 
>> 
>> Now that I have decent loggin working, I'm getting some
>> messages that appear
>> to be normal packets, but SNORT seems to think that something
>> is wrong with
>> them. I think it might be a rule problem.. has anyone else seen this?
>> 
>> 01/05-17:33:24.184929  [**] [118:1:1] (spp_conversation) Bad
>> IP protocol!
>> [**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514
>> 
>> Obviously, this is a SYSLOG message, which we do have a node
>> on the network
>> logging to the snort box for syslog parsing.
>> 
>> This is what the packet looks like:
>> 
>> [**] (spp_conversation) Bad IP protocol! [**]
>> 01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514
>> UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171
>> 
>> Thanks in advance for your help.
>> 
>> Mike
>> 
>> 
>> 
>> -------------------------------------------------------
>> This sf.net email is sponsored by:ThinkGeek
>> Welcome to geek heaven.
>> http://thinkgeek.com/sf
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list