Snort mailing list archives
Re: Blocking virus with snort inline 2.6.1.5 (more info)
From: carlopmart <carlopmart () gmail com>
Date: Mon, 24 Sep 2007 23:45:18 +0200
I don't know if this alerts are the problem that blocking virus doesn't works: Alert fast: 09/24-23:35:36.552845 [**] [116:54:1] (snort_decoder): Tcp Options found with bad lengths [**] {TCP} 172.25.50.14:45593 -> 199.107.65.177:80 09/24-23:35:37.112159 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:60411 -> 199.107.65.177:80 09/24-23:35:37.124876 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:34559 -> 199.107.65.177:80 09/24-23:35:37.125065 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:54752 -> 199.107.65.177:80 09/24-23:35:37.136889 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:44043 -> 199.107.65.177:80 09/24-23:35:37.660954 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:50164 -> 199.107.65.177:80 09/24-23:35:37.661335 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:45792 -> 199.107.65.177:80 09/24-23:35:37.661419 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:34748 -> 199.107.65.177:80 09/24-23:35:38.016954 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:41005 -> 199.107.65.177:80 09/24-23:35:38.043750 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:53810 -> 199.107.65.177:80 09/24-23:35:38.064012 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:34920 -> 199.107.65.177:80 09/24-23:35:38.236928 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:42299 -> 199.107.65.177:80 09/24-23:35:38.380886 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:56311 -> 199.107.65.177:80 09/24-23:35:38.413736 [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] {TCP} 172.25.50.14:57794 -> 199.107.65.177:80 And an example of alert full: [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] 09/24-23:35:38.413736 172.25.50.14:57794 -> 199.107.65.177:80 TCP TTL:64 TOS:0x0 ID:35866 IpLen:20 DgmLen:60 DF ******S* Seq: 0x654BB2F Ack: 0x0 Win: 0x16D0 TcpLen: 40 And sticky log: Dropped 09/24-23:34:44.812049 UDP 192.55.83.30:53->172.25.50.1:53 Dropped 09/24-23:34:46.468960 UDP 172.25.50.1:53->199.7.66.1:53 Dropped 09/24-23:34:46.469292 UDP 172.25.50.1:53->192.54.112.30:53 Dropped 09/24-23:34:48.473058 UDP 172.25.50.1:53->192.43.172.30:53 Dropped 09/24-23:34:50.473168 UDP 172.25.50.1:53->198.133.199.11:53 Dropped 09/24-23:34:54.477573 UDP 172.25.50.1:53->192.100.59.11:53 Dropped 09/24-23:34:56.481514 UDP 172.25.50.1:53->204.74.112.1:53 Dropped 09/24-23:35:01.485849 UDP 172.25.50.1:53->199.7.67.1:53 Dropped 09/24-23:35:02.458473 UDP 172.25.50.1:53->192.100.59.11:53 Dropped 09/24-23:35:04.462060 UDP 172.25.50.1:53->204.74.112.1:53 Dropped 09/24-23:35:09.466323 UDP 172.25.50.1:53->199.7.67.1:53 Blocks all DNS queries .... I don't understand nothing ... Please, can somebody helps me?? I need to put this IDS in production environment on a week and i need to do more and more tests .... Thanks .... -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 22)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 22)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 23)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 Joel Esler (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 (more info) carlopmart (Sep 24)
- Re: Blocking virus with snort inline 2.6.1.5 carlopmart (Sep 23)
- Re: Blocking virus with snort inline 2.6.1.5 Will Metcalf (Sep 22)