Re: Blocking virus with snort inline 2.6.1.5 (more info)

[carlopmart <carlopmart () gmail com>]

I don't know if this alerts are the problem that blocking virus doesn't 
works:

Alert fast:

09/24-23:35:36.552845  [**] [116:54:1] (snort_decoder): Tcp Options 
found with bad lengths [**] {TCP} 172.25.50.14:45593 -> 199.107.65.177:80
09/24-23:35:37.112159  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:60411 -> 199.107.65.177:80
09/24-23:35:37.124876  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:34559 -> 199.107.65.177:80
09/24-23:35:37.125065  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:54752 -> 199.107.65.177:80
09/24-23:35:37.136889  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:44043 -> 199.107.65.177:80
09/24-23:35:37.660954  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:50164 -> 199.107.65.177:80
09/24-23:35:37.661335  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:45792 -> 199.107.65.177:80
09/24-23:35:37.661419  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:34748 -> 199.107.65.177:80
09/24-23:35:38.016954  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:41005 -> 199.107.65.177:80
09/24-23:35:38.043750  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:53810 -> 199.107.65.177:80
09/24-23:35:38.064012  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:34920 -> 199.107.65.177:80
09/24-23:35:38.236928  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:42299 -> 199.107.65.177:80
09/24-23:35:38.380886  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:56311 -> 199.107.65.177:80
09/24-23:35:38.413736  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:57794 -> 199.107.65.177:80

And an example of alert full:

[**] [116:55:1] (snort_decoder): Truncated Tcp Options [**]
09/24-23:35:38.413736 172.25.50.14:57794 -> 199.107.65.177:80
TCP TTL:64 TOS:0x0 ID:35866 IpLen:20 DgmLen:60 DF
******S* Seq: 0x654BB2F  Ack: 0x0  Win: 0x16D0  TcpLen: 40

And sticky log:

Dropped 09/24-23:34:44.812049  UDP 192.55.83.30:53->172.25.50.1:53
Dropped 09/24-23:34:46.468960  UDP 172.25.50.1:53->199.7.66.1:53
Dropped 09/24-23:34:46.469292  UDP 172.25.50.1:53->192.54.112.30:53
Dropped 09/24-23:34:48.473058  UDP 172.25.50.1:53->192.43.172.30:53
Dropped 09/24-23:34:50.473168  UDP 172.25.50.1:53->198.133.199.11:53
Dropped 09/24-23:34:54.477573  UDP 172.25.50.1:53->192.100.59.11:53
Dropped 09/24-23:34:56.481514  UDP 172.25.50.1:53->204.74.112.1:53
Dropped 09/24-23:35:01.485849  UDP 172.25.50.1:53->199.7.67.1:53
Dropped 09/24-23:35:02.458473  UDP 172.25.50.1:53->192.100.59.11:53
Dropped 09/24-23:35:04.462060  UDP 172.25.50.1:53->204.74.112.1:53
Dropped 09/24-23:35:09.466323  UDP 172.25.50.1:53->199.7.67.1:53

Blocks all DNS queries .... I don't understand nothing ... Please, can 
somebody helps me?? I need to put this IDS in production environment on 
a week and i need to do more and more tests ....

Thanks ....


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users