[Snort-users] alert suppression

CunningPike cunningpike at ...11827...
Wed May 6 19:11:43 EDT 2009


We get some of these alerts too, but only from a specific segment on our
LAN, so I'm currently trying to hunt down the reason. The fact that we
don't get them from any other segment leads me to think that they are
indicative of something rather than simple noise.

If I find out anything, I'll post it to the list

CP

On Wed, 2009-05-06 at 15:38 -0600, Jefferson, Shawn wrote:
> Further to this, I was able to figure out that the dcdrpc2
> preprocessor seems to be causing these tagged packet alerts.
> Specifically one example is:
> 
>  
> 
> Sig 34: Dcerpc2: Connection-oriented DCE/RPC – Fragment length on last
> fragment less than maximum negotiated fragment transmit size for
> client.
> 
>  
> 
> Searching on the IP address in the tagged packet, like Greg suggested
> and then sorting them by timestamp shows that this alert and a couple
> of tagged packets all have the same src/dst IP and port and timestamp
> in BASE.
> 
>  
> 
> Now I know what they are, I don’t want to get rid of them from showing
> up in BASE. ;)
> 
>  
> 
> Thanks,
> 
> Shawn
> 
>  
> 
>                                    
> ______________________________________________________________________
> From:Greg Bowser [mailto:topnotcher at ...11827...] 
> Sent: May 06, 2009 1:49 PM
> To: Jefferson, Shawn
> Cc: Joel Esler; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] alert suppression
> 
> 
>  
> 
> >Yes I am running some of the emerging-threats rules, and grepping for
> “tag:” shows quite a few rules that use it.
> > Is there no way to determine which rule is generating the “tag:
> tagged packet” alert? What is it for exactly?
> 
> 
> Somtimes, it is nice to see the packets that follow the packet that
> triggered an alert. (i.e. the response).  The tag keyword accomplishes
> this.  Any of the rules you found that have the "tag" keyword will tag
> packets. (exactly which packets and how many is specified in the rule)
> 
> 
> If you look at the traffic with the same src/dst ip pair (in either
> order) before the tagged packets, you should see the rule that started
> the tagging.
> 
> 
> -- Greg
> 
> 
>  
> 
>  
> 
> 
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image 
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090506/fc6aa642/attachment.sig>


More information about the Snort-users mailing list