Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: No trace for corresponding alerts

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Fri, 5 Oct 2001 11:54:12 -0400

I have two custom rules that I have always used that check for outgoing
connections on port 80 (HTTP) and 69 (TFTP). I don't check for flags because
this rarely occurs on our network anyway, so it is always caught just
looking at the destination port. Here are my two custom rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Outgoing http port 80";)
alert tcp $HOME_NET any <> $EXTERNAL_NET 69 (msg:"Outgoing tftp port 69";)

Internmittenly, these rules are met and an alert is generated. For example,
here are two alerts directly from my alerts file from yesterday (with
<internal server> replacing the actual IP address):

10/04-00:23:40.992329  [**] [1:0:0] Outgoing http port 80 [**] {TCP}
<internal server>:47873 -> 64.210.248.166:80
10/04-00:32:20.996684  [**] [1:0:0] Outgoing tftp port 69 [**] {TCP}
<internal server>:47873 -> 66.69.242.11:69

When I check the trace file, there are no corresponding traces. This problem
with traces not being created seems to be fairly new. One interesting thing
looking at the above alerts is that both have the same source port of 47873.
I would think the chances of this would be very slim. Not sure if there is
any signifigance to this though.....

Any ideas?

Thanks,

Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com



-----Original Message-----
From: niceshorts () yahoo com [mailto:niceshorts () yahoo com]
Sent: Thursday, October 04, 2001 2:54 PM
To: Snort List (E-mail)
Subject: Re: [Snort-users] No trace for corresponding alerts


Sheahan, Paul (PCLN-NW) hat geschrieben:



Hello,

I'm using Snort 1.8.1 B78 on Red Hat Linux 7.0. I use the latest version of
snort_stat.pl to generate reports for me every night at midnight. I then
have the report emailed to me automatically.

For every alert, there has ALWAYS been a corresponding trace in my trace
file. This allows me to lookup details on alerts when needed. Ever since
upgrading to Build 78 and the latest snort_stat (both upgraded around the
same time), maybe 10% of the time, I find no corresponding trace for a

given

alert. Not sure if this is a bug in Build 78 or the latest snort_stat, but
there is a DEFINITE problem. This worked flawlessly in the past. Has anyone
else experienced this? 


    Post some example alerts. I've seen this problem often on
    win32 beta builds. There are some distinguishing features of
    these "phantom" alerts which I would like some correlation
    on. I don't use snort_stat so if you could cut and paste from
    alert.ids that would be great.

    -anthony kim
-- 
HTTP request sent, awaiting response... 404 Object Not Found
ERROR 404: Object Not Found.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: