Snort mailing list archives
Snort and SysLogging, warning
From: "Don" <Don () WeberOnTheWeb com>
Date: Thu, 20 Jun 2002 16:59:36 -0700
here's something for all of us to note let me give you a scenario multiple snort sensors, scattered throughout, on varying networks, all, of course, rcvng variety of alerts, suddenly, i notice one sensor, getting tons of alerts, the tcpdump on this sensor, indicates that this system has been compromised somehow, hmm, hopefully not, but, i kept investigating, to find, all the alerts, appear to be being prompted by the syslog, sensor A reports to syslog@host(B), sensor @host(B) alerts since it see's traffic with the exact content it is designed to alert on, so, when sensor A alerts to say a web-iis script access or sa login failed, it sends the syslog message to syslog on host B, host B reads the syslog message and logs it accordingly, and, at the same time, snort sensor on host B reads the same message as an attack of the same type, and therefore, prompts an alert. what makes this hard, is, i run snort in tcpdump and -s for remote syslog, so, when i try to output the dump file to an alert structure, it just hangs, seems to never finish, while one file under host(B) address in the alert dir structure, continues to climb in size, for one tcpdump, the size continued to climb until i ran out of drive space, then everything stopped. so i tried another file, and it did basically the same thing, how i finally found this, was to start the snort sensor on the host in question, let it run for about 5 minutes, then perform the extraction, resulting in the finding of something like this .W.....V....I.n. s.e.r.t. .i.n.t. o. .S.y.s.l.o.g. d. .(.M.S.G.D.A. T.E.,. .M.S.G.T. I.M.E.,. .M.S.G. P.R.I.O.R.I.T.Y. ,. .M.S.G.H.O.S. T.N.A.M.E.,. .M. S.G.T.E.X.T.). . V.a.l.u.e.s. .(. '.2.0.0.2.-.0.6. -.2.0.'.,. .'.1. 6.:.3.1.:.2.2.'. ,. .'.A.u.t.h... A.l.e.r.t.'.,. . '.6.4...1.6.3... 7.0...2.1.'.,. . '. . . .s.n.o.r. t.[.2.3.9.2.].:. .[.1.:.1.2.9.5. :.4.]. .N.E.T.B. I.O.S. .n.i.m.d. a. .R.I.C.H.E.D. 2.0...D.L.L. .[. C.l.a.s.s.i.f.i. c.a.t.i.o.n.:. . P.o.t.e.n.t.i.a. l.l.y. .B.a.d. . T.r.a.f.f.i.c.]. .[.P.r.i.o.r.i. t.y.:. .2.].:. . {.T.C.P.}. .6.4. this is from the tcp2209-139.ids file under my ip directory. as you can see, snort seems to be alerting on its own alerts, since of course, it does see the exact traffic it is designed to alert upon anyway, i'm just passing this bit along, since it had me really stumped for a bit, i was disconnecting things from the network til i realized this. altho, i am still a bit confused about a few things, i think this is what has happened., any objections. Don ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [spp_portscan] Gregory D Hough (Jun 20)
- Re: [spp_portscan] Matt Kettler (Jun 20)
- Snort and SysLogging, warning Don (Jun 20)
- Re: Snort and SysLogging, warning Imran William Smith (Jun 20)
- Snort and SysLogging, warning Don (Jun 20)
- Re: [spp_portscan] Matt Kettler (Jun 20)