[Snort-users] issue with 2.8.2
Jason.Haar at ...294...
Tue Jun 3 20:46:19 EDT 2008
I've just upgraded from 126.96.36.199 to 2.8.2 and an existing rule started
triggering that isn't meant to.
We have some DMZes which aren't meant to make unexpected outbound
connections, so we use "pass" rules to ignore/pass traffic that is
expected, and then trigger on everything else. Works well - until today.
pass tcp $DMZES_NETS any -> any 53 (msg:"DMZ host doing DNS zone
transfer or large DNS lookup"; sid:3000023;rev:2;)
alert tcp $DMZES_NETS any -> any 26:79 (msg:"DMZ host attempting
outgoing connection to port range 26-79";flags:S;tag: session, 10,
The DMZES_NETS contain hosts that do full Internet DNS lookups - which
means mostly UDP/DNS with the occasional TCP/DNS query.
What we are seeing today (since upgrading to 2.8.2) is alerts on
TCP-based DNS lookups. The alerts generated ("DMZ host attempting
outgoing connection to port range 26-79") have the SYN set, and are TCP
port 53 - as above. And yet the previous 30000023 didn't trigger and
This is on CentOS4.6 systems - yes - it's triggering on multiple DMZes
and different snort servers.
Is this a bug, or has some logic changed that makes the above rule combo
incorrect now? The DNS preprocessor is enabled if that matters...
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users