Snort mailing list archives

Interpreting logs

From: "Migus, Adam" <Adam_Migus () NAI com>
Date: Thu, 19 Jul 2001 09:25:05 -0700

I am running snort on my FreeBSD/ipfw/natd firewall as shown:

/usr/local/bin/snort -D -Afull -i ed1 -c snort.conf

ed1 is my external interface.

here is a diff of my snort.conf and the original

gateway# diff snort.conf snort.conf.orig
36d35
< var HOME_NET $ed1_ADDRESS
253d251
< var SPADEDIR /var/log/snort/spade
255c253
< preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
---

# preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000

260c258
< preprocessor spade-homenet: 0.0.0.0/0
---

# preprocessor spade-homenet: 0.0.0.0/0

268c266
< preprocessor spade-adapt3: 0.01 60 168
---

# preprocessor spade-adapt3: 0.01 60 168

276c274
< preprocessor spade-threshlearn: 200 24
---

#preprocessor spade-threshlearn: 200 24

278c276
< preprocessor spade-survey:  $SPADEDIR/survey.txt 60
---

#preprocessor spade-survey:  $SPADEDIR/survey.txt 60

280c278
< preprocessor spade-stats: entropy uncondprob condprob
---

#preprocessor spade-stats: entropy uncondprob condprob

288c286
< preprocessor arpspoof
---

# preprocessor arpspoof

gateway# 

I have a few questions on the log messages below that I'm hoping someone can
explain.

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 24.249.235.55 (THRESHOLD
4 connections exceeded in 3 seconds) [**]
07/19-03:01:48.093228

[**] [100:2:1] spp_portscan: portscan status from 24.249.235.55: 5
connections across 5 hosts: TCP(5), UDP(0) [**]
07/19-03:02:52.086670

These first two entries are taken from /var/log/snort/alert.  They should
port scan messages from the ip address of my external interface (ed1).  Why
is it telling me this?

[**] spp_anomsensor: Anomaly threshold exceeded: 6.0893 [**]
07/19-05:25:37.765846 24.249.235.55:4778 -> 64.94.89.146:80
TCP TTL:127 TOS:0x0 ID:56422 IpLen:20 DgmLen:48 DF
******S* Seq: 0xBE1604FD  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

This entry is also taken from my /var/log/snort/alert.  It is complaining
about an ordinary connection to the http port of a random site I visited.
Why?

Jul 19 05:22:37 24.249.235.55:1310 -> 24.3.0.36:53 UDP
Jul 19 05:23:27 24.249.235.55:41757 -> 198.165.106.2:110 SYN ******S*

This entry is taken from /var/log/snort/portscan.log.  These as well are
ordinary client connections to an external DNS and POP server I use.  How do
I interpret this?

How do I make snort stop complaining about these routine connections and
only tell me when I have a legitimate attack happening...

Thanks
Adam

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Interpreting logs Migus, Adam (Jul 19)
- Re: Interpreting logs Ralf Hildebrandt (Jul 19)
- <Possible follow-ups>
- RE: Interpreting logs Migus, Adam (Jul 20)