Snort mailing list archives
RE: Odd Information
From: "Lee Clemens" <snort () leeclemens net>
Date: Sun, 17 Apr 2005 18:35:55 -0400
I'm a bit confused about the question. You say your rule is broken? But you have it set to pass any tcp, udp, or icmp packet.
Anyway, I am wondering do I have something setup wrong in the rule set that is letting these few IP addresses through? Why is the port 0?
Why wouldn't it let those IP addresses through? You have it set to log for that particular rule, and pass <> anything to anything, effectively. For the second part, I'm not exactly sure (especially without seeing the logged packet), but it seems the port is 0 because the packet was cut short. What is it you are trying to make happen? Also, you will want to make ![$NETWORK] look like !$NETWORK (I'm pretty sure []'s are only used for IP lists. Hope that's a start at least, but I still don't feel like I answered your question... -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Kevin Smith Sent: Saturday, April 16, 2005 4:29 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Odd Information Hey everyone, I have noticed every once in a while a rule of mine is broken. I am not sure what is causing it and was wondering if anyone had any ideas. Here is my rule. var NETWORK [64.7.160.0/19] pass tcp ![$NETWORK] any <> any any pass udp ![$NETWORK] any <> any any pass icmp ![$NETWORK] any <> any any log tcp $NETWORK any -> any any (flowbits:isnotset,tagged; flowbits:set,tagged; threshold: type limit, track by_src, count 5, seconds 30; tag:session, 600, seconds;) Now what is odd that I get maybe 1 or 2 of these every few days (sorry if the HTML throws anyone off). #0-(1-76619) <http://64.7.161.19/acid/acid_qry_alert.php?submit=%230-%281-76619%29&sort_o rder=> [snort <http://www.snort.org/snort-db/sid.html?sid=46> ] snort_decoder: TCP Data Offset is less than 5! 2005-04-16 10:00:35 221.14.148.19 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32> :0 64.7.175.54 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.175.54&netmask32> :0 TCP #1-(1-76620) <http://64.7.161.19/acid/acid_qry_alert.php?submit=%231-%281-76620%29&sort_o rder=> [snort <http://www.snort.org/snort-db/sid.html?sid=46> ] snort_decoder: TCP Data Offset is less than 5! 2005-04-16 10:02:31 221.14.148.19 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32> :0 64.7.191.181 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.191.181&netmask32> :0 TCP #2-(1-76646) <http://64.7.161.19/acid/acid_qry_alert.php?submit=%232-%281-76646%29&sort_o rder=> [snort <http://www.snort.org/snort-db/sid.html?sid=46> ] snort_decoder: TCP Data Offset is less than 5! 2005-04-16 10:04:19 221.14.148.19 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32> :0 64.7.184.171 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.184.171&netmask32> :0 TCP #3-(1-76655) <http://64.7.161.19/acid/acid_qry_alert.php?submit=%233-%281-76655%29&sort_o rder=> [snort <http://www.snort.org/snort-db/sid.html?sid=46> ] snort_decoder: TCP Data Offset is less than 5! 2005-04-16 10:04:58 221.14.148.19 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32> :0 64.7.181.186 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.181.186&netmask32> :0 TCP #4-(1-76656) <http://64.7.161.19/acid/acid_qry_alert.php?submit=%234-%281-76656%29&sort_o rder=> [snort <http://www.snort.org/snort-db/sid.html?sid=46> ] snort_decoder: TCP Data Offset is less than 5! 2005-04-16 10:05:02 221.14.148.19 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32> :0 64.7.188.29 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.188.29&netmask32> :0 TCP #5-(1-76689) <http://64.7.161.19/acid/acid_qry_alert.php?submit=%235-%281-76689%29&sort_o rder=> [snort <http://www.snort.org/snort-db/sid.html?sid=46> ] snort_decoder: TCP Data Offset is less than 5! 2005-04-16 10:05:54 221.14.148.19 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32> :0 64.7.186.38 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.186.38&netmask32> :0 TCP #6-(1-76690) <http://64.7.161.19/acid/acid_qry_alert.php?submit=%236-%281-76690%29&sort_o rder=> [snort <http://www.snort.org/snort-db/sid.html?sid=46> ] snort_decoder: TCP Data Offset is less than 5! 2005-04-16 10:06:00 221.14.148.19 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32> :0 64.7.189.109 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.189.109&netmask32> :0 TCP #7-(1-76736) <http://64.7.161.19/acid/acid_qry_alert.php?submit=%237-%281-76736%29&sort_o rder=> [snort <http://www.snort.org/snort-db/sid.html?sid=46> ] snort_decoder: TCP Data Offset is less than 5! 2005-04-16 10:07:24 221.14.148.19 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=221.14.148.19&netmask=32> :0 64.7.186.246 <http://64.7.161.19/acid/acid_stat_ipaddr.php?ip=64.7.186.246&netmask32> :0 TCP Anyway, I am wondering do I have something setup wrong in the rule set that is letting these few IP addresses through? Why is the port 0? Thanks for your help. Kevin ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Odd Information Kevin Smith (Apr 16)
- RE: Odd Information Lee Clemens (Apr 17)