[Snort-users] issue with 2.8.2

Jason Haar Jason.Haar at ...294...
Tue Jun 3 20:46:19 EDT 2008


Hi there

I've just upgraded from 2.8.0.1 to 2.8.2 and an existing rule started 
triggering that isn't meant to.

We have some DMZes which aren't meant to make unexpected outbound 
connections, so we use "pass" rules to ignore/pass traffic that is 
expected, and then trigger on everything else. Works well - until today.

pass tcp $DMZES_NETS any -> any 53 (msg:"DMZ host doing DNS zone 
transfer or large DNS lookup"; sid:3000023;rev:2;)
alert tcp $DMZES_NETS any -> any 26:79 (msg:"DMZ host attempting 
outgoing connection to port range 26-79";flags:S;tag: session, 10, 
packets;classtype:successful-admin;sid:1000007;rev:1;reference: url, 
/secure/cvename.php?name=1000007;)

The DMZES_NETS contain hosts that do full Internet DNS lookups - which 
means mostly UDP/DNS with the occasional TCP/DNS query.

What we are seeing today (since upgrading to 2.8.2) is alerts on 
TCP-based DNS lookups. The alerts generated ("DMZ host attempting 
outgoing connection to port range 26-79") have the SYN set, and are TCP 
port 53 - as above. And yet the previous 30000023 didn't trigger and 
pass it...?

This is on CentOS4.6 systems - yes - it's triggering on multiple DMZes 
and different snort servers.

Is this a bug, or has some logic changed that makes the above rule combo 
incorrect now? The DNS preprocessor is enabled if that matters...

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list