[Snort-users] Definite corruption of addresses in Snort 2.02 alert

Jason Haar Jason.Haar at ...294...
Sun Sep 28 20:06:17 EDT 2003


I had Snort just go off claiming that one of our DMZ hosts had just done
something nasty against an Internet host, and when I checked - it hadn't....

I'm logging into SQL and syslog, and am managing that data via ACID.

OK, the picture looks like this:


Internet (hostZ) <---> DMZ (hostA,hostB) 

Snort can see all traffic between any host in the DMZ, including the
Internet as well as other DMZ hosts (it's a hub).

The home-made alert said one of our DMZ SMTP servers (hostA) had just dumped
some "Internal use only" data onto an Internet SMTP server (hostZ), but when
I checked the logs, I *know* that it was actually a connection between a
*different* DMZ host (hostB) and the DMZ SMTP server (hostA)! I captured the
SMTP transaction, and it definitely shows hostB talking to hostA, although
Snort says it's IP address hostA talking to hostZ. 

i.e. the data matches a totally different pair of IP addresses.

The rule looks like:

alert tcp $TRIMBLE any -> !$TRIMBLE any (msg:"Trimble Internal Use Only seen
at perimeter 1";content:"XXXXXXXX";nocase;tag: session, 10, packets;)

and indeed the alert and tagged records all contained hostA talking to hostZ.

Something is corrupt in there, any ideas? BTW, the syslog and SQL data back
each other up, so it occurred earlier on (i.e. it isn't a MySQL problem or
anything). 


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list