[Snort-users] Odd Information

Kevin Smith kjsmith at ...13166...
Sat Apr 16 13:30:12 EDT 2005


  Hey everyone,

I have noticed every once in a while a rule of mine is broken. I am not 
sure what is causing it and was wondering if anyone had any ideas.

Here is my rule.

var NETWORK [64.7.160.0/19]

pass tcp ![$NETWORK] any <> any any
pass udp ![$NETWORK] any <> any any
pass icmp ![$NETWORK] any <> any any

log tcp $NETWORK any -> any any (flowbits:isnotset,tagged; 
flowbits:set,tagged; threshold: type limit, track by_src, count 5, 
seconds 30; tag:session, 600, seconds;)

Now what is odd that I get maybe 1 or 2 of these every few days (sorry 
if the HTML throws anyone off).

   #0-(1-76619) 
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%230-%281-76619%29&sort_order=> 
   	   [snort <http://www.snort.org/snort-db/sid.html?sid=46>] 
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16 
10:00:35    	   221.14.148.19 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:0 
   	   64.7.175.54 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.175.54&netmask32>:0 
   	   TCP   
   #1-(1-76620) 
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%231-%281-76620%29&sort_order=> 
   	   [snort <http://www.snort.org/snort-db/sid.html?sid=46>] 
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16 
10:02:31    	   221.14.148.19 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:0 
   	   64.7.191.181 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.191.181&netmask32>:0 
   	   TCP   
   #2-(1-76646) 
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%232-%281-76646%29&sort_order=> 
   	   [snort <http://www.snort.org/snort-db/sid.html?sid=46>] 
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16 
10:04:19    	   221.14.148.19 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:0 
   	   64.7.184.171 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.184.171&netmask32>:0 
   	   TCP   
   #3-(1-76655) 
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%233-%281-76655%29&sort_order=> 
   	   [snort <http://www.snort.org/snort-db/sid.html?sid=46>] 
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16 
10:04:58    	   221.14.148.19 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:0 
   	   64.7.181.186 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.181.186&netmask32>:0 
   	   TCP   
   #4-(1-76656) 
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%234-%281-76656%29&sort_order=> 
   	   [snort <http://www.snort.org/snort-db/sid.html?sid=46>] 
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16 
10:05:02    	   221.14.148.19 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:0 
   	   64.7.188.29 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.188.29&netmask32>:0 
   	   TCP   
   #5-(1-76689) 
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%235-%281-76689%29&sort_order=> 
   	   [snort <http://www.snort.org/snort-db/sid.html?sid=46>] 
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16 
10:05:54    	   221.14.148.19 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:0 
   	   64.7.186.38 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.186.38&netmask32>:0 
   	   TCP   
   #6-(1-76690) 
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%236-%281-76690%29&sort_order=> 
   	   [snort <http://www.snort.org/snort-db/sid.html?sid=46>] 
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16 
10:06:00    	   221.14.148.19 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:0 
   	   64.7.189.109 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.189.109&netmask32>:0 
   	   TCP   
   #7-(1-76736) 
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%237-%281-76736%29&sort_order=> 
   	   [snort <http://www.snort.org/snort-db/sid.html?sid=46>] 
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16 
10:07:24    	   221.14.148.19 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>:0 
   	   64.7.186.246 
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.186.246&netmask32>:0 
   	   TCP


Anyway, I am wondering do I have something setup wrong in the rule set 
that is letting these few IP addresses through? Why is the port 0?

Thanks for your help.
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050416/c04f96bc/attachment.html>


More information about the Snort-users mailing list