[Snort-users] sudden sensitive_data threshold exceeded alerts

Jason Wallace jason.r.wallace at ...11827...
Tue Apr 12 16:35:25 EDT 2011


I can't help you with your specific question, but did want to say (in
cases you didn't know) that Snorby will show the payload if you have
barnyard2 output database configured for "log" instead of "alert"...

ex.
output database: log, mysql, user=<someone> password=<something>
dbname=<your db name> host=x.x.x.x

thx,
Wally

On Tue, Apr 12, 2011 at 11:50 AM, Agus <agus.262 at ...11827...> wrote:
> Hi guys,
>
> im getting a lot of this alerts since a couple of days.
>
> [139:1:1] sensitive_data: sensitive data global threshold exceeded
> [Classification: Senstive Data] [Priority: 2]: {PROTO:254}
>
> I use snorby, and it doesnt show any payload, so y checked with
> tcpdump the alert log and found it.
>
>
> 19:22:55.629576 IP (tos 0x0, ttl 114, id 27323, offset 0, flags [DF],
> proto: unknown (254), length: 20) 190.99.x.x > 172.31.201.9:
> ip-proto-254 0
>        0x0000:  0000 5e00 0101 001e be79 5ca6 0800 4500  ..^......y\...E.
>        0x0010:  0014 6abb 4000 72fe 048c be63 6518 ac1f  ..j. at ...15231...
>        0x0020:  c909                                     ..
> 19:24:02.978690 IP (tos 0x0, ttl 114, id 28108, offset 0, flags [DF],
> proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
> ip-proto-254 0
>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>        0x0010:  0014 6dcc 4000 72fe 017b ac1f c909 be63  ..m. at ...15232...{.....c
>        0x0020:  6518                                     e.
> 19:27:47.949156 IP (tos 0x0, ttl 114, id 29386, offset 0, flags [DF],
> proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
> ip-proto-254 0
>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>        0x0010:  0014 72ca 4000 72fe fc7c ac1f c909 be63  ..r. at ...15232...|.....c
>        0x0020:  6518                                     e.
> 19:42:40.923410 IP (tos 0x0, ttl 106, id 1779, offset 0, flags [DF],
> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
> ip-proto-254 0
>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>        0x0010:  0014 06f3 4000 6afe 4d23 ac1f c909 d8ae  .... at ...15233...#......
>        0x0020:  6dfe                                     m.
> 19:42:47.858569 IP (tos 0x0, ttl 106, id 1895, offset 0, flags [DF],
> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
> ip-proto-254 0
>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>        0x0010:  0014 0767 4000 6afe 4caf ac1f c909 d8ae  ...g at ...15234...
>        0x0020:  6dfe                                     m.
> 19:42:53.321362 IP (tos 0x0, ttl 106, id 1942, offset 0, flags [DF],
> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
> ip-proto-254 0
>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>        0x0010:  0014 0796 4000 6afe 4c80 ac1f c909 d8ae  .... at ...15234...
>        0x0020:  6dfe
> 9:42:54.058349 IP (tos 0x0, ttl  64, id 14491, offset 0, flags [DF],
> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
> ip-proto-254 0
>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>        0x0010:  0014 389b 4000 40fe 457b d8ae 6dfe ac1f  ..8. at ...843...@...15238...{..m...
>        0x0020:  c909                                     ..
> 19:43:19.570238 IP (tos 0x0, ttl  64, id 14522, offset 0, flags [DF],
> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
> ip-proto-254 0
>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>        0x0010:  0014 38ba 4000 40fe 455c d8ae 6dfe ac1f  ..8. at ...843...@...15238...\..m...
>        0x0020:  c909                                     ..
> 19:44:55.440976 IP (tos 0x0, ttl  64, id 15039, offset 0, flags [DF],
> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
> ip-proto-254 0
>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>        0x0010:  0014 3abf 4000 40fe 4357 d8ae 6dfe ac1f  ..:. at ...843...@...15239...
>        0x0020:  c909                                     ..
> 19:46:27.467767 IP (tos 0x0, ttl 106, id 4001, offset 0, flags [DF],
> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
> ip-proto-254 0
>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>        0x0010:  0014 0fa1 4000 6afe 4475 ac1f c909 d8ae  .... at ...15235...
>        0x0020:  6dfe                                     m.
> 19:46:27.852439 IP (tos 0x0, ttl 106, id 4065, offset 0, flags [DF],
> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
> ip-proto-254 0
>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>        0x0010:  0014 0fe1 4000 6afe 4435 ac1f c909 d8ae  .... at ...15236...
>        0x0020:  6dfe                                     m.
> 19:46:27.854024 IP (tos 0x0, ttl 105, id 4070, offset 0, flags [DF],
> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
> ip-proto-254 0
>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>        0x0010:  0014 0fe6 4000 69fe 4530 ac1f c909 d8ae  .... at ...15237...
>        0x0020:  6dfe                                     m.
>
> and goes on. THe priv IP is a reverse proxy.
>
> IP Protocol 254: This is a core Internet Protocol with a protocol
> number of 254. As per IANA specification, this protocol is reserved
> for Private/Experimental/Internal use.
>
> Any hints to invastigate this deeper is appreciated. I am now looking
> at the src in dynamyc_preprocesors/sdf but i have no clue what to look
>
> Cheers
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list