[Snort-users] sudden sensitive_data threshold exceeded alerts

Agus agus.262 at ...11827...
Tue Apr 12 18:47:19 EDT 2011


Thanks guys for the answers.

Ryan, very nice explanation! thanks.

snort.conf
# SDF sensitive data preprocessor.  For more information see
README.sensitive_data
preprocessor sensitive_data: alert_threshold 500 ( i increased it to
that so i dont get flooded by this alerts)
output unified2: filename snort.log, limit 128

barnyard2.conf
output alert_fast: stdout (dunno why thats on)
output alert_syslog: LOG_AUTH LOG_INFO
output log_tcpdump: tcpdump.log
output database: log, mysql, user=snorby password=xxxx dbname=snorby
host=10.10.x.x

A doubt, and just curious on this
"your other sensitive data rules
 (gid:138) were configured to look"

Where are configured? u mean options in standard rules? and when it
reaches 25 it alerts?

Will try to keep looking this.

Thanks a lot,
Cheers


2011/4/12 Ryan Jordan <ryan.jordan at ...1935...>:
> Hi Agus,
>
> The sensitive_data preprocessor generates and logs pseudo-packets when
> that "global threshold exceeded" alert is triggered. These
> pseudo-packets use IP proto 254. The IP addresses are copied from the
> packet that triggered the alert.
>
> This behavior is similar to the portscan preprocessor, which generates
> pseudo-packets with proto 255.
>
> The alert gets triggered when the sensitive_data preprocessor picks up
> on a combination of items that your other sensitive data rules
> (gid:138) were configured to look for. By default, this limit is 25
> items.
>
> If you look at the payload of those pseudo-packets, you should see a
> message printed by the preprocessor that tells you how many of each
> item type were detected.
>
> Now, I am surprised that all of your listed packets are only 20 bytes
> long. That's just the size of an IP header. How did you configure your
> "output" line in snort.conf?
>
> -Ryan
>
> On Tue, Apr 12, 2011 at 4:35 PM, Jason Wallace
> <jason.r.wallace at ...11827...> wrote:
>> I can't help you with your specific question, but did want to say (in
>> cases you didn't know) that Snorby will show the payload if you have
>> barnyard2 output database configured for "log" instead of "alert"...
>>
>> ex.
>> output database: log, mysql, user=<someone> password=<something>
>> dbname=<your db name> host=x.x.x.x
>>
>> thx,
>> Wally
>>
>> On Tue, Apr 12, 2011 at 11:50 AM, Agus <agus.262 at ...11827...> wrote:
>>> Hi guys,
>>>
>>> im getting a lot of this alerts since a couple of days.
>>>
>>> [139:1:1] sensitive_data: sensitive data global threshold exceeded
>>> [Classification: Senstive Data] [Priority: 2]: {PROTO:254}
>>>
>>> I use snorby, and it doesnt show any payload, so y checked with
>>> tcpdump the alert log and found it.
>>>
>>>
>>> 19:22:55.629576 IP (tos 0x0, ttl 114, id 27323, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 190.99.x.x > 172.31.201.9:
>>> ip-proto-254 0
>>>        0x0000:  0000 5e00 0101 001e be79 5ca6 0800 4500  ..^......y\...E.
>>>        0x0010:  0014 6abb 4000 72fe 048c be63 6518 ac1f  ..j. at ...15231...
>>>        0x0020:  c909                                     ..
>>> 19:24:02.978690 IP (tos 0x0, ttl 114, id 28108, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
>>> ip-proto-254 0
>>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>>        0x0010:  0014 6dcc 4000 72fe 017b ac1f c909 be63  ..m. at ...15232...{.....c
>>>        0x0020:  6518                                     e.
>>> 19:27:47.949156 IP (tos 0x0, ttl 114, id 29386, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 172.31.201.9 > 190.99.x.x:
>>> ip-proto-254 0
>>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>>        0x0010:  0014 72ca 4000 72fe fc7c ac1f c909 be63  ..r. at ...15232...|.....c
>>>        0x0020:  6518                                     e.
>>> 19:42:40.923410 IP (tos 0x0, ttl 106, id 1779, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>>> ip-proto-254 0
>>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>>        0x0010:  0014 06f3 4000 6afe 4d23 ac1f c909 d8ae  .... at ...15233...#......
>>>        0x0020:  6dfe                                     m.
>>> 19:42:47.858569 IP (tos 0x0, ttl 106, id 1895, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>>> ip-proto-254 0
>>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>>        0x0010:  0014 0767 4000 6afe 4caf ac1f c909 d8ae  ...g at ...15234...
>>>        0x0020:  6dfe                                     m.
>>> 19:42:53.321362 IP (tos 0x0, ttl 106, id 1942, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>>> ip-proto-254 0
>>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>>        0x0010:  0014 0796 4000 6afe 4c80 ac1f c909 d8ae  .... at ...15234...
>>>        0x0020:  6dfe
>>> 9:42:54.058349 IP (tos 0x0, ttl  64, id 14491, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
>>> ip-proto-254 0
>>>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>>>        0x0010:  0014 389b 4000 40fe 457b d8ae 6dfe ac1f  ..8. at ...843...@.E{..m...
>>>        0x0020:  c909                                     ..
>>> 19:43:19.570238 IP (tos 0x0, ttl  64, id 14522, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
>>> ip-proto-254 0
>>>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>>>        0x0010:  0014 38ba 4000 40fe 455c d8ae 6dfe ac1f  ..8. at ...843...@.E\..m...
>>>        0x0020:  c909                                     ..
>>> 19:44:55.440976 IP (tos 0x0, ttl  64, id 15039, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 216.174.x.x > 172.31.201.9:
>>> ip-proto-254 0
>>>        0x0000:  0050 569f 3e8f 001e be79 5ca6 0800 4500  .PV.>....y\...E.
>>>        0x0010:  0014 3abf 4000 40fe 4357 d8ae 6dfe ac1f  ..:. at ...843...@.CW..m...
>>>        0x0020:  c909                                     ..
>>> 19:46:27.467767 IP (tos 0x0, ttl 106, id 4001, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>>> ip-proto-254 0
>>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>>        0x0010:  0014 0fa1 4000 6afe 4475 ac1f c909 d8ae  .... at ...15235...
>>>        0x0020:  6dfe                                     m.
>>> 19:46:27.852439 IP (tos 0x0, ttl 106, id 4065, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>>> ip-proto-254 0
>>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>>        0x0010:  0014 0fe1 4000 6afe 4435 ac1f c909 d8ae  .... at ...15236...
>>>        0x0020:  6dfe                                     m.
>>> 19:46:27.854024 IP (tos 0x0, ttl 105, id 4070, offset 0, flags [DF],
>>> proto: unknown (254), length: 20) 172.31.201.9 > 216.174.x.x:
>>> ip-proto-254 0
>>>        0x0000:  001e be79 5ca6 0000 5e00 0101 0800 4500  ...y\...^.....E.
>>>        0x0010:  0014 0fe6 4000 69fe 4530 ac1f c909 d8ae  .... at ...15237...
>>>        0x0020:  6dfe                                     m.
>>>
>>> and goes on. THe priv IP is a reverse proxy.
>>>
>>> IP Protocol 254: This is a core Internet Protocol with a protocol
>>> number of 254. As per IANA specification, this protocol is reserved
>>> for Private/Experimental/Internal use.
>>>
>>> Any hints to invastigate this deeper is appreciated. I am now looking
>>> at the src in dynamyc_preprocesors/sdf but i have no clue what to look
>>>
>>> Cheers
>>>
>>> ------------------------------------------------------------------------------
>>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>>> part of an in-depth evaluation of disaster recovery service providers.
>>> Forrester found the best-in-class provider in terms of services and vision.
>>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>> ------------------------------------------------------------------------------
>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an in-depth evaluation of disaster recovery service providers.
>> Forrester found the best-in-class provider in terms of services and vision.
>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>




More information about the Snort-users mailing list