[Snort-users] Odd Information

Lee Clemens snort at ...13080...
Sun Apr 17 15:37:04 EDT 2005


I'm a bit confused about the question. You say your rule is broken? But you
have it set to pass any tcp, udp, or icmp packet. 

> Anyway, I am wondering do I have something setup wrong in the rule set 
> that is letting these few IP addresses through? Why is the port 0?

Why wouldn't it let those IP addresses through? You have it set to log for
that particular rule, and pass <> anything to anything, effectively.

For the second part, I'm not exactly sure (especially without seeing the
logged packet), but it seems the port is 0 because the packet was cut short.


What is it you are trying to make happen?

Also, you will want to make ![$NETWORK] look like !$NETWORK (I'm pretty sure
[]'s are only used for IP lists. 

Hope that's a start at least, but I still don't feel like I answered your
question...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Kevin Smith
Sent: Saturday, April 16, 2005 4:29 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Odd Information

Hey everyone, 

I have noticed every once in a while a rule of mine is broken. I am not sure
what is causing it and was wondering if anyone had any ideas. 

Here is my rule. 

var NETWORK [64.7.160.0/19]

pass tcp ![$NETWORK] any <> any any
pass udp ![$NETWORK] any <> any any
pass icmp ![$NETWORK] any <> any any

log tcp $NETWORK any -> any any (flowbits:isnotset,tagged;
flowbits:set,tagged; threshold: type limit, track by_src, count 5, seconds
30; tag:session, 600, seconds;)

Now what is odd that I get maybe 1 or 2 of these every few days (sorry if
the HTML throws anyone off). 


   #0-(1-76619)
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%230-%281-76619%29&sort_o
rder=>     	   [snort <http://www.snort.org/snort-db/sid.html?sid=46> ]
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16
10:00:35    	   221.14.148.19
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>
:0    	   64.7.175.54
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.175.54&netmask32> :0
TCP    	
   #1-(1-76620)
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%231-%281-76620%29&sort_o
rder=>     	   [snort <http://www.snort.org/snort-db/sid.html?sid=46> ]
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16
10:02:31    	   221.14.148.19
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>
:0    	   64.7.191.181
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.191.181&netmask32> :0
TCP    	
   #2-(1-76646)
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%232-%281-76646%29&sort_o
rder=>     	   [snort <http://www.snort.org/snort-db/sid.html?sid=46> ]
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16
10:04:19    	   221.14.148.19
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>
:0    	   64.7.184.171
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.184.171&netmask32> :0
TCP    	
   #3-(1-76655)
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%233-%281-76655%29&sort_o
rder=>     	   [snort <http://www.snort.org/snort-db/sid.html?sid=46> ]
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16
10:04:58    	   221.14.148.19
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>
:0    	   64.7.181.186
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.181.186&netmask32> :0
TCP    	
   #4-(1-76656)
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%234-%281-76656%29&sort_o
rder=>     	   [snort <http://www.snort.org/snort-db/sid.html?sid=46> ]
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16
10:05:02    	   221.14.148.19
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>
:0    	   64.7.188.29
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.188.29&netmask32> :0
TCP    	
   #5-(1-76689)
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%235-%281-76689%29&sort_o
rder=>     	   [snort <http://www.snort.org/snort-db/sid.html?sid=46> ]
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16
10:05:54    	   221.14.148.19
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>
:0    	   64.7.186.38
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.186.38&netmask32> :0
TCP    	
   #6-(1-76690)
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%236-%281-76690%29&sort_o
rder=>     	   [snort <http://www.snort.org/snort-db/sid.html?sid=46> ]
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16
10:06:00    	   221.14.148.19
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>
:0    	   64.7.189.109
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.189.109&netmask32> :0
TCP    	
   #7-(1-76736)
<http://64.7.161.19/acid/acid_qry_alert.php?submit=%237-%281-76736%29&sort_o
rder=>     	   [snort <http://www.snort.org/snort-db/sid.html?sid=46> ]
snort_decoder: TCP Data Offset is less than 5!    	   2005-04-16
10:07:24    	   221.14.148.19
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32>
:0    	   64.7.186.246
<http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.186.246&netmask32> :0
TCP 	

Anyway, I am wondering do I have something setup wrong in the rule set that
is letting these few IP addresses through? Why is the port 0? 

Thanks for your help.
Kevin







More information about the Snort-users mailing list