Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort duplicate signatures in table

From: "Vladimir" <pvm () napravlenie ru>
Date: Wed, 19 Apr 2006 13:13:24 +0400
Hello everyone!

I have the following snort installation:
Mandrake 10.2
snort-2.4.4 with postgresql-8 and debug support
libpcap-0.9.4

My firewall have 3 interfaces:

1)External (for example 52.1.1.X)
2)DMZ(52.1.2.64/26)
3)Internal (52.1.2.0/26)

Snort listening only on External and DMZ interfaces. Snort must protect DMZ
and Internal networks.

I have the next snort.conf:

var HOME_NET 52.1.2.0/25
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var SSH_PORTS 22
var HTTP_PORTS 80
var SHELLCODE_PORTS !80

Then some signature detected in packet which going from External to DMZ
interface, the alert are duplicated in logs:

Apr 18 19:10:25 gw1 snort[29246]: [1:1250:13] WEB-MISC Cisco IOS HTTP
configuration attempt [Classification: Web Application Attack] [Priority:
1]: {TCP} 24.15.192.185:2928 -> 52.1.2.80:80
Apr 18 19:10:25 gw1 snort[29259]: [1:1250:13] WEB-MISC Cisco IOS HTTP
configuration attempt [Classification: Web Application Attack] [Priority:
1]: {TCP} 24.15.192.185:2928 -> 52.1.2.80:80
Apr 18 19:10:58 gw1 snort[29246]: database: warning (SELECT sig_id   FROM
signature  WHERE sig_name = 'WEB-MISC Cisco IOS HTTP configuration attempt'
AND sig_rev = 13    AND sig_sid = 1250 ) returned more than one result
Apr 18 19:10:58 gw1 snort[29259]: database: warning (SELECT sig_id   FROM
signature  WHERE sig_name = 'WEB-MISC Cisco IOS HTTP configuration attempt'
AND sig_rev = 13    AND sig_sid = 1250 ) returned more than one result

This mean that packet going over 2 interfaces and on each snort detect
suspicious traffic. Then snort execute 2 concurrent SELECT queries(1 by each
snort process) to see does the signature exists in signature database. And
then snort try to insert signature.
I know that signature table does not have duplicated signatures but I don't
know how to solve this problem.




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: