Snort mailing list archives
Stream5 and AIX tcp keepalive alert
From: Антон Половцев <etc.secure () gmail com>
Date: Thu, 29 Aug 2013 16:03:57 +0400
Hello, community! I'm testing snort (2.9.4) and have some questions about Stream5. There are 2 abstract subnetworks in my scenario, 172.16.34.0/24 and 10.14.1.0/24. Both subnets are monitored with separate snort sensors. Some host from second subnet (linux 2.6.X) makes connection (TCP) to host from first subnet (AIX 6). Stream5 is configured to apply "linux" policy to host with linux and "bsd" policy to AIX (according to manual). Each tcp keepalive makes nothing with sensor in subnet with linux host but generates an alert in the "AIX subnet": 129-14 stream5: TCP Timestamp is missing. I dumped this kind of packets and found out that tcp keepalive frame from AIX machine doesn't contain any tcp opts. Of course, "tcp timestamp is missing". I tried to google_it and discover, that it is common behavior of AIX. Wrong policy "bsd" for AIX? Anomaly detection is off. And another thing, for my understanding. Preprocessor's stream5 option "ports" (values client/server/both) - how to manage right direction, manual didn't answer on 100%. Host or network, to which we apply the policy is considered as server? And all connection from this host/subnet to others are considered as "client's"? P.S. pcap with AIX's tcp keepalive in attachement. Thanks in advance for responses.
Attachment:
capt.pcap
Description:
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Stream5 and AIX tcp keepalive alert Антон Половцев (Aug 29)
- Re: Stream5 and AIX tcp keepalive alert James Lay (Aug 30)
- Re: Stream5 and AIX tcp keepalive alert Russ Combs (Sep 09)
- Re: Stream5 and AIX tcp keepalive alert James Lay (Aug 30)