[Snort-users] Bad Protocol?

Cloppert, Michael Michael.Cloppert at ...5884...
Mon Jan 6 10:55:09 EST 2003


Good idea, Mark.  What version of Snort are you running?  I'm using the 1.9
final - I don't think the conversation preprocessor is available for 1.9
final, which unfortunately still leaves me in the dust.

Mike

> -----Original Message-----
> From: Mark Schaefer [mailto:mark at ...7913...]
> Sent: Monday, January 06, 2003 12:33 PM
> To: Martin Roesch
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Bad Protocol?
> 
> 
> 
> In my snort.conf, this seems to work just fine:
> 
> preprocessor conversation: allowed_ip_protocols <list>, timeout 60, 
> max_conversations 65335, alert_odd_protocols
> 
> And sends an alert to the log file when it sees something not 
> in <list>.
> 
> Mark
> 
> Martin Roesch wrote:
> > This rule doesn't work because you can't stack ip_proto 
> calls in a Snort
> > rule (today).  Disable it for now, I'm fixing the ip_proto 
> detection plugin
> > as we speak...
> > 
> >      -Marty
> > 
> > 
> > On 1/6/03 10:13 AM, "Cloppert, Michael" 
> <Michael.Cloppert at ...5884...> wrote:
> > 
> > 
> >>Mike, et. al.,
> >>
> >>I was about to post a duplicate message - glad I checked my 
> Snort folder
> >>first!
> >>
> >>Here are the details of what I'm seeing:
> >>I get events logged as "BAD TRAFFIC Non-Standard IP 
> protocol".  My Snort
> >>signature for this (sid=1620), as a sanity check, is:
> >>---
> >>log ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC 
> Non-Standard IP
> >>protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47;
> >>ip_proto:!50; ip_proto:!51; ip_proto:!89; 
> classtype:non-standard-protocol;
> >>sid:1620; rev:2;)
> >>---
> >>
> >>Dumping one of the packets triggering this as tcpdump 
> interprets it, I see:
> >>---
> >>22:49:10.175747 24.154.208.125.2534 > 204.90.1.66.443: . 
> [tcp sum ok]
> >>1078:1078(0) ack 7125 win 64191 (DF) (ttl 115, id 30015, len 40)
> >>4500 0028 753f 4000 7306 dbdc xxxx xxxx
> >>yyyy yyyy 09e6 01bb 0cf9 3295 5212 5399
> >>5010 fabf 0d86 0000 0000 0000 0000
> >>---
> >>..obviously, by the 0x06 in the 9th byte, this is TCP.  
> Surprisingly enough,
> >>when I look in my Snort database, I even see the "ip_proto" 
> field in the
> >>"iphdr" table listed as "6"!  This means Snort is even 
> reading the packet
> >>properly.  Why this is triggering is beyond me, but my 
> burgeoning log files
> >>are becoming more than just a nuisance, as I have numerous 
> packets like
> >>this.
> >>
> >>Any help is welcome!!!
> >>
> >>Mike
> >>
> >>
> >>>-----Original Message-----
> >>>From: Mike Koponick [mailto:mike at ...7385...]
> >>>Sent: Sunday, January 05, 2003 12:30 PM
> >>>To: snort-users at lists.sourceforge.net
> >>>Subject: [Snort-users] Bad Protocol?
> >>>
> >>>
> >>>Now that I have decent loggin working, I'm getting some
> >>>messages that appear
> >>>to be normal packets, but SNORT seems to think that something
> >>>is wrong with
> >>>them. I think it might be a rule problem.. has anyone else 
> seen this?
> >>>
> >>>01/05-17:33:24.184929  [**] [118:1:1] (spp_conversation) Bad
> >>>IP protocol!
> >>>[**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514
> >>>
> >>>Obviously, this is a SYSLOG message, which we do have a node
> >>>on the network
> >>>logging to the snort box for syslog parsing.
> >>>
> >>>This is what the packet looks like:
> >>>
> >>>[**] (spp_conversation) Bad IP protocol! [**]
> >>>01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514
> >>>UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171
> >>>
> >>>Thanks in advance for your help.
> >>>
> >>>Mike
> >>>
> >>>
> >>>
> >>>-------------------------------------------------------
> >>>This sf.net email is sponsored by:ThinkGeek
> >>>Welcome to geek heaven.
> >>>http://thinkgeek.com/sf
> >>>_______________________________________________
> >>>Snort-users mailing list
> >>>Snort-users at lists.sourceforge.net
> >>>Go to this URL to change user options or unsubscribe:
> >>>https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>Snort-users list archive:
> >>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>
> >>
> >>
> >>-------------------------------------------------------
> >>This sf.net email is sponsored by:ThinkGeek
> >>Welcome to geek heaven.
> >>http://thinkgeek.com/sf
> >>_______________________________________________
> >>Snort-users mailing list
> >>Snort-users at lists.sourceforge.net
> >>Go to this URL to change user options or unsubscribe:
> >>https://lists.sourceforge.net/lists/listinfo/snort-users
> >>Snort-users list archive:
> >>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> > 
> > 
> 
> 
> -- 
> Privileged/confidential information may be contained within this 
> communication.  If you are not the intended recipient of this 
> communication, please destroy it without copying, disclosing, or 
> otherwise using its contents and please promptly advise the sender at 
> mschaefer at ...7914...  Any views or opinions expressed are 
> solely those 
> of the author and do not necessarily represent those of NTT/VERIO. 
> Thank you.
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list