Snort mailing list archives

False Alarm - still not solved

From: Holger Marzen <holger () marzen de>
Date: Wed, 14 May 2003 11:29:22 +0200 (CEST)
Hi all,

I still get false alarms: Traffic that should be ignored with pass rules
but is *sometimes* catched by rules like

log tcp any any <> any any  (msg: "forbidden tcp traffic"; logto: "important.log";)

I use snort 2.0 on a Linux machine with kernel 2.2.16 and only 32MB RAM.
It worked perfectly with snort 1.6. I upgraded to snort 2.0 because of
security reasons.

snort ist started as:

|/usr/local/bin/snort -dev -A full -D \
|   -i eth1 \
|   -l /var/log/snort \
|   -c /etc/snort/snort.conf -o
|/sbin/ifconfig eth1 promisc

I had to add "/sbin/ifconfig eth1 promisc" because snort always puts the
interface in promisc mode and then instantly changes it back:

|May 14 11:18:52 i201803 kernel: device eth1 entered promiscuous mode
|May 14 11:18:52 i201803 snort: OpenPcap() device eth1 network lookup: ^Ieth1: no IPv4 address assigned
|May 14 11:18:52 i201803 snort: Initializing daemon mode
|May 14 11:18:52 i201803 kernel: device eth1 left promiscuous mode
|May 14 11:18:52 i201803 snort: PID path stat checked out ok, PID path set to /var/run/
|May 14 11:18:52 i201803 snort: Writing PID "26333" to file "/var/run//snort_eth1.pid"
|May 14 11:18:52 i201803 snort: [*] Frag2 config:
|May 14 11:18:52 i201803 snort:     Fragment timeout: 60 seconds
|May 14 11:18:52 i201803 snort:     Fragment memory cap: 1000000 bytes
|May 14 11:18:52 i201803 snort:     Fragment min_ttl:   0
|May 14 11:18:52 i201803 snort:     Fragment ttl_limit: 5
|May 14 11:18:52 i201803 snort:     Fragment Problems: 0
|May 14 11:18:52 i201803 snort:     State Protection: 0
|May 14 11:18:52 i201803 snort:     Self preservation threshold: 500
|May 14 11:18:52 i201803 snort:     Self preservation period: 90
|May 14 11:18:52 i201803 snort:     Suspend threshold: 1000
|May 14 11:18:52 i201803 snort:     Suspend period: 30
|May 14 11:18:52 i201803 snort: Snort initialization completed successfully

But that's no problem. A problem are the few packets that are detected
although there is a pass rule. It makes no difference if "-o" is used or
not. And it makes no difference if I use a separate NIC (eth1) or use
eth0.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] forbidden tcp traffic [**]
05/14-10:43:20.176076 0:6:29:50:F1:82 -> 0:1:96:DB:23:A0 type:0x800
len:0xC3
212.18.198.106:80 -> 172.178.246.129:1984 TCP TTL:128 TOS:0x0 ID:19126
IpLen:20 DgmLen:181
 DF
***AP*** Seq: 0x114D04D2  Ack: 0x51F8E0  Win: 0x2180  TcpLen: 20
B9 72 FB 6B A0 28 95 FA 1E DC 5A 7D 10 F5 31 14  .r.k.(....Z}..1.
14 3C 40 3F 79 D3 40 4B 71 B4 F1 76 FB 51 7F E6  .<@?y.@Kq..v.Q..
D2 53 4F DB AC FE C8 F6 A4 7F 6B F2 D1 17 FE 6D  .SO.......k....m
2C 52 47 84 4F 53 EE 33 91 E1 55 51 FE 27 4C 24  ,RG.OS.3..UQ.'L$
57 12 03 53 ED 97 07 C4 90 0A FD BC 88 D4 4D 10  W..S..........M.
17 14 8E 83 91 AB F9 A8 03 EE 3A 89 A2 9B 6A B2  ..........:...j.
E0 71 FC 44 7F C2 0F F8 E9 60 A5 8A 4D 96 1A FA  .q.D.....`..M...
9D FF 00 FA 17 FE 6D 4B 05 03 54 32 B6 BC B7 76  ......mK..T2...v
F8 7A 57 FE 6D 49 25 7F 4D 45 7F FF D9           .zW.mI%.ME...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

That is traffic that is allowed with:

|var WEB   212.18.198.106/32
|pass tcp any any <> $WEB 80
[...]
|log tcp any any <> any any  (msg: "forbidden tcp traffic"; logto: "important.log";)

The last line should catch it never, but it does sometimes.

I noticed that the false alarms (only few per day) always have a local
(ephemeral) port of one of these that is used in other pass-rules as an
destination port. Is that a bug in snort? Maybe because of low memory
(32MB)? To tune snort for low memory I use:

|config detection: search-method lowmem
|preprocessor frag2: memcap 1000000
|preprocessor stream4: memcap 1000000, disable_evasion_alerts
|preprocessor stream4_reassemble


What can I do?


-- 
PGP/GPG Key-ID:
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

False Alarm - still not solved Holger Marzen (May 14)