[Snort-users] sudden sensitive_data threshold exceeded alerts

Ryan Jordan ryan.jordan at ...1935...
Tue Apr 12 17:47:44 EDT 2011


Hi Agus,

The sensitive_data preprocessor generates and logs pseudo-packets when
that "global threshold exceeded" alert is triggered. These
pseudo-packets use IP proto 254. The IP addresses are copied from the
packet that triggered the alert.

This behavior is similar to the portscan preprocessor, which generates
pseudo-packets with proto 255.

The alert gets triggered when the sensitive_data preprocessor picks up
on a combination of items that your other sensitive data rules
(gid:138) were configured to look for. By default, this limit is 25
items.

If you look at the payload of those pseudo-packets, you should see a
message printed by the preprocessor that tells you how many of each
item type were detected.

Now, I am surprised that all of your listed packets are only 20 bytes
long. That's just the size of an IP header. How did you configure your
"output" line in snort.conf?

-Ryan

On Tue, Apr 12, 2011 at 4:35 PM, Jason Wallace
<jason.r.wallace at ...11827...> wrote:
> I can't help you with your specific question, but did want to say (in
> cases you didn't know) that Snorby will show the payload if you have
> barnyard2 output database configured for "log" instead of "alert"...
>
> ex.
> output database: log, mysql, user=<someone> password=<something>
> dbname=<your db name> host=x.x.x.x
>
> thx,
> Wally
>
> On Tue, Apr 12, 2011 at 11:50 AM, Agus <agus.262 at ...11827...> wrote:
>> Hi guys,
>>
>> im getting a lot of this alerts since a couple of days.
>>
>> [139:1:1] sensitive_data: sensitive data global threshold exceeded
>> [Classification: Senstive Data] [Priority: 2]: {PROTO:254}
>>
>> I use snorby, and it doesnt show any payload, so y checked with
>> tcpdump the alert log and found it.
>>
>>
>> 19:22:55.629576 IP (tos 0x0, ttl 114, id 27323, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 190.99.x.x > 172.31.201.9:
>> ip-proto-254 0
>>        0x0000:  0000 5e00 0101 001e be79 5ca6 0800 4500  ..^......y\...E.
>>        0x0010:  0014 6abb 4000 72fe 048c be63 6518 ac1f  ..j. at ...15231...
>>        0x0020:  c909                                     ..
>> 19:24:02.978690 IP (tos 0x0, ttl 114, id 28108, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
>> ip-proto-254 0
>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>        0x0010:  0014 6dcc 4000 72fe 017b ac1f c909 be63  ..m. at ...15232...{.....c
>>        0x0020:  6518                                     e.
>> 19:27:47.949156 IP (tos 0x0, ttl 114, id 29386, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
>> ip-proto-254 0
>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>        0x0010:  0014 72ca 4000 72fe fc7c ac1f c909 be63  ..r. at ...15232...|.....c
>>        0x0020:  6518                                     e.
>> 19:42:40.923410 IP (tos 0x0, ttl 106, id 1779, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>> ip-proto-254 0
>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>        0x0010:  0014 06f3 4000 6afe 4d23 ac1f c909 d8ae  .... at ...15233...#......
>>        0x0020:  6dfe                                     m.
>> 19:42:47.858569 IP (tos 0x0, ttl 106, id 1895, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>> ip-proto-254 0
>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>        0x0010:  0014 0767 4000 6afe 4caf ac1f c909 d8ae  ...g at ...15234...
>>        0x0020:  6dfe                                     m.
>> 19:42:53.321362 IP (tos 0x0, ttl 106, id 1942, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>> ip-proto-254 0
>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>        0x0010:  0014 0796 4000 6afe 4c80 ac1f c909 d8ae  .... at ...15234...
>>        0x0020:  6dfe
>> 9:42:54.058349 IP (tos 0x0, ttl  64, id 14491, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
>> ip-proto-254 0
>>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>>        0x0010:  0014 389b 4000 40fe 457b d8ae 6dfe ac1f  ..8. at ...843...@.E{..m...
>>        0x0020:  c909                                     ..
>> 19:43:19.570238 IP (tos 0x0, ttl  64, id 14522, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
>> ip-proto-254 0
>>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>>        0x0010:  0014 38ba 4000 40fe 455c d8ae 6dfe ac1f  ..8. at ...843...@.E\..m...
>>        0x0020:  c909                                     ..
>> 19:44:55.440976 IP (tos 0x0, ttl  64, id 15039, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
>> ip-proto-254 0
>>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>>        0x0010:  0014 3abf 4000 40fe 4357 d8ae 6dfe ac1f  ..:. at ...843...@.CW..m...
>>        0x0020:  c909                                     ..
>> 19:46:27.467767 IP (tos 0x0, ttl 106, id 4001, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>> ip-proto-254 0
>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>        0x0010:  0014 0fa1 4000 6afe 4475 ac1f c909 d8ae  .... at ...15235...
>>        0x0020:  6dfe                                     m.
>> 19:46:27.852439 IP (tos 0x0, ttl 106, id 4065, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>> ip-proto-254 0
>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>        0x0010:  0014 0fe1 4000 6afe 4435 ac1f c909 d8ae  .... at ...15236...
>>        0x0020:  6dfe                                     m.
>> 19:46:27.854024 IP (tos 0x0, ttl 105, id 4070, offset 0, flags [DF],
>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>> ip-proto-254 0
>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>        0x0010:  0014 0fe6 4000 69fe 4530 ac1f c909 d8ae  .... at ...15237...
>>        0x0020:  6dfe                                     m.
>>
>> and goes on. THe priv IP is a reverse proxy.
>>
>> IP Protocol 254: This is a core Internet Protocol with a protocol
>> number of 254. As per IANA specification, this protocol is reserved
>> for Private/Experimental/Internal use.
>>
>> Any hints to invastigate this deeper is appreciated. I am now looking
>> at the src in dynamyc_preprocesors/sdf but i have no clue what to look
>>
>> Cheers
>>
>> ------------------------------------------------------------------------------
>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an in-depth evaluation of disaster recovery service providers.
>> Forrester found the best-in-class provider in terms of services and vision.
>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list