Snort mailing list archives
RE: Bad Protocol?
From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Mon, 6 Jan 2003 13:54:45 -0500
Good idea, Mark. What version of Snort are you running? I'm using the 1.9 final - I don't think the conversation preprocessor is available for 1.9 final, which unfortunately still leaves me in the dust. Mike
-----Original Message----- From: Mark Schaefer [mailto:mark () verio net] Sent: Monday, January 06, 2003 12:33 PM To: Martin Roesch Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Bad Protocol? In my snort.conf, this seems to work just fine: preprocessor conversation: allowed_ip_protocols <list>, timeout 60, max_conversations 65335, alert_odd_protocols And sends an alert to the log file when it sees something not in <list>. Mark Martin Roesch wrote:This rule doesn't work because you can't stack ip_protocalls in a Snortrule (today). Disable it for now, I'm fixing the ip_protodetection pluginas we speak... -Marty On 1/6/03 10:13 AM, "Cloppert, Michael"<Michael.Cloppert () 53 com> wrote:Mike, et. al., I was about to post a duplicate message - glad I checked mySnort folderfirst! Here are the details of what I'm seeing: I get events logged as "BAD TRAFFIC Non-Standard IPprotocol". My Snortsignature for this (sid=1620), as a sanity check, is: --- log ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFICNon-Standard IPprotocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89;classtype:non-standard-protocol;sid:1620; rev:2;) --- Dumping one of the packets triggering this as tcpdumpinterprets it, I see:--- 22:49:10.175747 24.154.208.125.2534 > 204.90.1.66.443: .[tcp sum ok]1078:1078(0) ack 7125 win 64191 (DF) (ttl 115, id 30015, len 40) 4500 0028 753f 4000 7306 dbdc xxxx xxxx yyyy yyyy 09e6 01bb 0cf9 3295 5212 5399 5010 fabf 0d86 0000 0000 0000 0000 --- ..obviously, by the 0x06 in the 9th byte, this is TCP.Surprisingly enough,when I look in my Snort database, I even see the "ip_proto"field in the"iphdr" table listed as "6"! This means Snort is evenreading the packetproperly. Why this is triggering is beyond me, but myburgeoning log filesare becoming more than just a nuisance, as I have numerouspackets likethis. Any help is welcome!!! Mike-----Original Message----- From: Mike Koponick [mailto:mike () redhawk info] Sent: Sunday, January 05, 2003 12:30 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Bad Protocol? Now that I have decent loggin working, I'm getting some messages that appear to be normal packets, but SNORT seems to think that something is wrong with them. I think it might be a rule problem.. has anyone elseseen this?01/05-17:33:24.184929 [**] [118:1:1] (spp_conversation) Bad IP protocol! [**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514 Obviously, this is a SYSLOG message, which we do have a node on the network logging to the snort box for syslog parsing. This is what the packet looks like: [**] (spp_conversation) Bad IP protocol! [**] 01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514 UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171 Thanks in advance for your help. Mike ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Privileged/confidential information may be contained within this communication. If you are not the intended recipient of this communication, please destroy it without copying, disclosing, or otherwise using its contents and please promptly advise the sender at mschaefer () verio net. Any views or opinions expressed are solely those of the author and do not necessarily represent those of NTT/VERIO. Thank you. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Bad Protocol? Cloppert, Michael (Jan 06)
- Re: Bad Protocol? Martin Roesch (Jan 06)
- Re: Bad Protocol? Mark Schaefer (Jan 06)
- <Possible follow-ups>
- RE: Bad Protocol? Cloppert, Michael (Jan 06)
- Re: Bad Protocol? Martin Roesch (Jan 06)