Snort mailing list archives

RE: Bad Protocol?

From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Mon, 6 Jan 2003 13:54:45 -0500

Good idea, Mark.  What version of Snort are you running?  I'm using the 1.9
final - I don't think the conversation preprocessor is available for 1.9
final, which unfortunately still leaves me in the dust.

Mike

-----Original Message-----
From: Mark Schaefer [mailto:mark () verio net]
Sent: Monday, January 06, 2003 12:33 PM
To: Martin Roesch
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Bad Protocol?



In my snort.conf, this seems to work just fine:

preprocessor conversation: allowed_ip_protocols <list>, timeout 60, 
max_conversations 65335, alert_odd_protocols

And sends an alert to the log file when it sees something not 
in <list>.

Mark

Martin Roesch wrote:

This rule doesn't work because you can't stack ip_proto

calls in a Snort

rule (today).  Disable it for now, I'm fixing the ip_proto

detection plugin

as we speak...

     -Marty


On 1/6/03 10:13 AM, "Cloppert, Michael"

<Michael.Cloppert () 53 com> wrote:

Mike, et. al.,

I was about to post a duplicate message - glad I checked my

Snort folder

first!

Here are the details of what I'm seeing:
I get events logged as "BAD TRAFFIC Non-Standard IP

protocol".  My Snort

signature for this (sid=1620), as a sanity check, is:
---
log ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC

Non-Standard IP

protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47;
ip_proto:!50; ip_proto:!51; ip_proto:!89;

classtype:non-standard-protocol;

sid:1620; rev:2;)
---

Dumping one of the packets triggering this as tcpdump

interprets it, I see:

---
22:49:10.175747 24.154.208.125.2534 > 204.90.1.66.443: .

[tcp sum ok]

1078:1078(0) ack 7125 win 64191 (DF) (ttl 115, id 30015, len 40)
4500 0028 753f 4000 7306 dbdc xxxx xxxx
yyyy yyyy 09e6 01bb 0cf9 3295 5212 5399
5010 fabf 0d86 0000 0000 0000 0000
---
..obviously, by the 0x06 in the 9th byte, this is TCP.

Surprisingly enough,

when I look in my Snort database, I even see the "ip_proto"

field in the

"iphdr" table listed as "6"!  This means Snort is even

reading the packet

properly.  Why this is triggering is beyond me, but my

burgeoning log files

are becoming more than just a nuisance, as I have numerous

packets like

this.

Any help is welcome!!!

Mike

-----Original Message-----
From: Mike Koponick [mailto:mike () redhawk info]
Sent: Sunday, January 05, 2003 12:30 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Bad Protocol?

Now that I have decent loggin working, I'm getting some
messages that appear
to be normal packets, but SNORT seems to think that something
is wrong with
them. I think it might be a rule problem.. has anyone else

seen this?


01/05-17:33:24.184929  [**] [118:1:1] (spp_conversation) Bad
IP protocol!
[**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514

Obviously, this is a SYSLOG message, which we do have a node
on the network
logging to the snort box for syslog parsing.

This is what the packet looks like:

[**] (spp_conversation) Bad IP protocol! [**]
01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514
UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171

Thanks in advance for your help.

Mike



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Privileged/confidential information may be contained within this 
communication.  If you are not the intended recipient of this 
communication, please destroy it without copying, disclosing, or 
otherwise using its contents and please promptly advise the sender at 
mschaefer () verio net.  Any views or opinions expressed are 
solely those 
of the author and do not necessarily represent those of NTT/VERIO. 
Thank you.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Bad Protocol? Cloppert, Michael (Jan 06)
- Re: Bad Protocol? Martin Roesch (Jan 06)
  - Re: Bad Protocol? Mark Schaefer (Jan 06)
- <Possible follow-ups>
- RE: Bad Protocol? Cloppert, Michael (Jan 06)