[Snort-users] Stream5 and AIX tcp keepalive alert

Russ Combs rcombs at ...1935...
Mon Sep 9 10:10:26 EDT 2013


On Fri, Aug 30, 2013 at 7:13 AM, James Lay <digitalx00 at ...11827...> wrote:

>
> On Aug 29, 2013, at 6:03 AM, Антон Половцев <etc.secure at ...11827...> wrote:
>
> Hello, community!
>
> I'm testing snort (2.9.4) and have some questions about Stream5.
>
> There are 2 abstract subnetworks in my scenario, 172.16.34.0/24 and
> 10.14.1.0/24. Both subnets are monitored with separate snort sensors.
> Some host from second subnet (linux 2.6.X) makes connection (TCP) to host
> from first subnet (AIX 6). Stream5 is configured to apply "linux" policy to
> host with linux and "bsd" policy to AIX (according to manual). Each tcp
> keepalive makes nothing with sensor in subnet with linux host but generates
> an alert in the "AIX subnet": 129-14 stream5: TCP Timestamp is missing. I
> dumped this kind of packets and found out that tcp keepalive frame from AIX
> machine doesn't contain any tcp opts. Of course, "tcp timestamp is
> missing". I tried to google_it and discover, that it is common behavior of
> AIX. Wrong policy "bsd" for AIX? Anomaly detection is off.
>
> Thanks, we have a bug open to update target-based stuff.

> And another thing, for my understanding. Preprocessor's stream5 option
> "ports" (values client/server/both) - how to manage right direction, manual
> didn't answer on 100%. Host or network, to which we apply the policy is
> considered as server? And all connection from this host/subnet to others
> are considered as "client's"?
>
> The ports you configure are always server ports.  The client / server /
both setting determines which side of the connection to reassemble.  For
example, "ports client 80" means reassemble only the client side of
connections to server port 80.

> P.S. pcap with AIX's tcp keepalive in attachement. Thanks in advance for
> responses.
>
>
> Make sure both subnets are in your HOME_NET.  And you can add the sig
> that's firing off to your threshold.conf file.
>
> James
>
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130909/15a5129c/attachment.html>


More information about the Snort-users mailing list