[Snort-users] sudden sensitive_data threshold exceeded alerts

Agus agus.262 at ...11827...
Tue Apr 12 11:50:13 EDT 2011


Hi guys,

im getting a lot of this alerts since a couple of days.

[139:1:1] sensitive_data: sensitive data global threshold exceeded
[Classification: Senstive Data] [Priority: 2]: {PROTO:254}

I use snorby, and it doesnt show any payload, so y checked with
tcpdump the alert log and found it.


19:22:55.629576 IP (tos 0x0, ttl 114, id 27323, offset 0, flags [DF],
proto: unknown (254), length: 20) 190.99.x.x > 172.31.201.9:
ip-proto-254 0
        0x0000:  0000 5e00 0101 001e be79 5ca6 0800 4500  ..^......y\...E.
        0x0010:  0014 6abb 4000 72fe 048c be63 6518 ac1f  ..j. at ...15231...
        0x0020:  c909                                     ..
19:24:02.978690 IP (tos 0x0, ttl 114, id 28108, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
ip-proto-254 0
        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
        0x0010:  0014 6dcc 4000 72fe 017b ac1f c909 be63  ..m. at ...15232...{.....c
        0x0020:  6518                                     e.
19:27:47.949156 IP (tos 0x0, ttl 114, id 29386, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
ip-proto-254 0
        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
        0x0010:  0014 72ca 4000 72fe fc7c ac1f c909 be63  ..r. at ...15232...|.....c
        0x0020:  6518                                     e.
19:42:40.923410 IP (tos 0x0, ttl 106, id 1779, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
        0x0010:  0014 06f3 4000 6afe 4d23 ac1f c909 d8ae  .... at ...15233...#......
        0x0020:  6dfe                                     m.
19:42:47.858569 IP (tos 0x0, ttl 106, id 1895, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
        0x0010:  0014 0767 4000 6afe 4caf ac1f c909 d8ae  ...g at ...15234...
        0x0020:  6dfe                                     m.
19:42:53.321362 IP (tos 0x0, ttl 106, id 1942, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
        0x0010:  0014 0796 4000 6afe 4c80 ac1f c909 d8ae  .... at ...15234...
        0x0020:  6dfe
9:42:54.058349 IP (tos 0x0, ttl  64, id 14491, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
        0x0010:  0014 389b 4000 40fe 457b d8ae 6dfe ac1f  ..8. at ...843...@.E{..m...
        0x0020:  c909                                     ..
19:43:19.570238 IP (tos 0x0, ttl  64, id 14522, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
        0x0010:  0014 38ba 4000 40fe 455c d8ae 6dfe ac1f  ..8. at ...843...@.E\..m...
        0x0020:  c909                                     ..
19:44:55.440976 IP (tos 0x0, ttl  64, id 15039, offset 0, flags [DF],
proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
ip-proto-254 0
        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
        0x0010:  0014 3abf 4000 40fe 4357 d8ae 6dfe ac1f  ..:. at ...843...@.CW..m...
        0x0020:  c909                                     ..
19:46:27.467767 IP (tos 0x0, ttl 106, id 4001, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
        0x0010:  0014 0fa1 4000 6afe 4475 ac1f c909 d8ae  .... at ...15235...
        0x0020:  6dfe                                     m.
19:46:27.852439 IP (tos 0x0, ttl 106, id 4065, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
        0x0010:  0014 0fe1 4000 6afe 4435 ac1f c909 d8ae  .... at ...15236...
        0x0020:  6dfe                                     m.
19:46:27.854024 IP (tos 0x0, ttl 105, id 4070, offset 0, flags [DF],
proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
ip-proto-254 0
        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
        0x0010:  0014 0fe6 4000 69fe 4530 ac1f c909 d8ae  .... at ...15237...
        0x0020:  6dfe                                     m.

and goes on. THe priv IP is a reverse proxy.

IP Protocol 254: This is a core Internet Protocol with a protocol
number of 254. As per IANA specification, this protocol is reserved
for Private/Experimental/Internal use.

Any hints to invastigate this deeper is appreciated. I am now looking
at the src in dynamyc_preprocesors/sdf but i have no clue what to look

Cheers




More information about the Snort-users mailing list