Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: false alerts

From: Phil Wood <cpw () lanl gov>
Date: Thu, 24 Jan 2002 14:16:06 -0700

On Thu, Jan 24, 2002 at 11:22:52AM +1100, support wrote:

I have am having a problem with snort ...
I apologize in advance for the nature of the question , however...
When running Snort 1.8.3 in daemon mode with no output modules I am
receiving false alerts from my internal network. Below is an excerpt from my
logs

"
Jan 24 10:23:46 proxy snort[12568]: [1:618:1] INFO - Possible Squid Scan
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
192.168.0.10:1387 -> 192.168.0.8:3128
Jan 24 10:23:49 proxy snort[12568]: [1:618:1] INFO - Possible Squid Scan
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
192.168.0.10:1388 -> 192.168.0.8:3128

Well, let's take a look at the rule:

% grep "Possible Squid Scan" *.rules
scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"INFO - Possible Squid Scan"; flags:S; 
classtype:attempted-recon; sid:618; rev:1;)

If this is not the rule than delete this message.  Otherwise, there is not
much meat to this rule.  The TCP packet would have to be directed at your 
HOME_NET and be the first (SYN) of the connection establishment phase trying
to contact a "service" on port 3128.  This can happen with FTP file transfers
initiated by a host on your HOME_NET (unless you inforce passive mode).
However, you should check that the value of your HOME_NET and EXTERNAL_NET
are not "any".  Your snort.conf should have the following two lines defined:

var HOME_NET [192.168.0.0/24]

var EXTERNAL_NET !$HOME_NET

The above is assuming that your home net is 192.168.0.0/24.


"
The snort.conf file is from version 1.8.1 and defines the internal network
both in HOME_NET and within the preprocessor portscan-ignorehosts
Any suggestions would be greatly appreciated.

David





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: