Jon Hart
2006-05-17 21:26:21 UTC
Hello
The weird behavior I'm seeing is what appears to be multiple HTT
requests (sometimes the src<->dest is the same, others not) in the sam
alert.
Someone in #snort asked if I was behind a proxy server and, yes, th
bulk of our inbound traffic is handled by Akamai. I can't find an
specific examples, but I swear I saw alerts where some of the traffi
came from Akamai and others did not
Whats is even weirder is, today, I saw and alert that contained portion
of two distinct conversations, but one was headed inbound and the othe
was headed outbound. Aside from the general weirdness of this, I ha
just recently switched my $HOME_NET to 'any'
This is snort 2.4.4, running Red Hat Enterprise Linux ES releas
4 (Nahant Update 1) with kernel 2.6.9-11.ELsmp (not my choice). M
config is more or less stock
var HOME_NET an
var EXTERNAL_NET an
var DNS_SERVERS $HOME_NE
var SMTP_SERVERS $HOME_NE
var HTTP_SERVERS $HOME_NE
var SQL_SERVERS $HOME_NE
var TELNET_SERVERS $HOME_NE
var SNMP_SERVERS $HOME_NE
var HTTP_PORTS 8
var SHELLCODE_PORTS !8
var ORACLE_PORTS 152
var SSH_PORTS 2
var AIM_SERVER
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
var RULE_PATH ./rule
config disable_decode_alert
config disable_tcpopt_experimental_alert
preprocessor flow: stats_interval 0 hash
preprocessor frag3_global: max_frags 6553
preprocessor frag3_engine: policy first detect_anomalie
preprocessor stream4: disable_evasion_alert
preprocessor stream4_reassembl
preprocessor http_inspect: global
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default
profile all ports { 80 8080 8180 } oversize_dir_length 500
no_alert
preprocessor rpc_decode: 111 3277
preprocessor b
preprocessor telnet_decod
preprocessor xlink2state: ports { 25 691
output database: log, mysql, user=snort
password=ffffff dbname=snort host=localhost sensor_name=edg
And snort is started as follows
snort -u snort -g snort -i bond0 -c /usr/local/stow/snort/etc/snort.con
-D -ey
(I have a pass rule to filter out a particularly false-positive pron
URL, hence the -o
Any ideas
-jo
------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security
Get stuff done quickly with pre-integrated technology to make your job easie
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=12164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user
The weird behavior I'm seeing is what appears to be multiple HTT
requests (sometimes the src<->dest is the same, others not) in the sam
alert.
Someone in #snort asked if I was behind a proxy server and, yes, th
bulk of our inbound traffic is handled by Akamai. I can't find an
specific examples, but I swear I saw alerts where some of the traffi
came from Akamai and others did not
Whats is even weirder is, today, I saw and alert that contained portion
of two distinct conversations, but one was headed inbound and the othe
was headed outbound. Aside from the general weirdness of this, I ha
just recently switched my $HOME_NET to 'any'
This is snort 2.4.4, running Red Hat Enterprise Linux ES releas
4 (Nahant Update 1) with kernel 2.6.9-11.ELsmp (not my choice). M
config is more or less stock
var HOME_NET an
var EXTERNAL_NET an
var DNS_SERVERS $HOME_NE
var SMTP_SERVERS $HOME_NE
var HTTP_SERVERS $HOME_NE
var SQL_SERVERS $HOME_NE
var TELNET_SERVERS $HOME_NE
var SNMP_SERVERS $HOME_NE
var HTTP_PORTS 8
var SHELLCODE_PORTS !8
var ORACLE_PORTS 152
var SSH_PORTS 2
var AIM_SERVER
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
var RULE_PATH ./rule
config disable_decode_alert
config disable_tcpopt_experimental_alert
preprocessor flow: stats_interval 0 hash
preprocessor frag3_global: max_frags 6553
preprocessor frag3_engine: policy first detect_anomalie
preprocessor stream4: disable_evasion_alert
preprocessor stream4_reassembl
preprocessor http_inspect: global
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default
profile all ports { 80 8080 8180 } oversize_dir_length 500
no_alert
preprocessor rpc_decode: 111 3277
preprocessor b
preprocessor telnet_decod
preprocessor xlink2state: ports { 25 691
output database: log, mysql, user=snort
password=ffffff dbname=snort host=localhost sensor_name=edg
And snort is started as follows
snort -u snort -g snort -i bond0 -c /usr/local/stow/snort/etc/snort.con
-D -ey
(I have a pass rule to filter out a particularly false-positive pron
URL, hence the -o
Any ideas
-jo
------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security
Get stuff done quickly with pre-integrated technology to make your job easie
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=12164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user