Snort mailing list archives
issue with 2.8.2
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 04 Jun 2008 12:46:19 +1200
Hi there I've just upgraded from 2.8.0.1 to 2.8.2 and an existing rule started triggering that isn't meant to. We have some DMZes which aren't meant to make unexpected outbound connections, so we use "pass" rules to ignore/pass traffic that is expected, and then trigger on everything else. Works well - until today. pass tcp $DMZES_NETS any -> any 53 (msg:"DMZ host doing DNS zone transfer or large DNS lookup"; sid:3000023;rev:2;) alert tcp $DMZES_NETS any -> any 26:79 (msg:"DMZ host attempting outgoing connection to port range 26-79";flags:S;tag: session, 10, packets;classtype:successful-admin;sid:1000007;rev:1;reference: url, /secure/cvename.php?name=1000007;) The DMZES_NETS contain hosts that do full Internet DNS lookups - which means mostly UDP/DNS with the occasional TCP/DNS query. What we are seeing today (since upgrading to 2.8.2) is alerts on TCP-based DNS lookups. The alerts generated ("DMZ host attempting outgoing connection to port range 26-79") have the SYN set, and are TCP port 53 - as above. And yet the previous 30000023 didn't trigger and pass it...? This is on CentOS4.6 systems - yes - it's triggering on multiple DMZes and different snort servers. Is this a bug, or has some logic changed that makes the above rule combo incorrect now? The DNS preprocessor is enabled if that matters... Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- issue with 2.8.2 Jason Haar (Jun 03)
- Re: issue with 2.8.2 Joel Esler (Jun 03)
- Re: issue with 2.8.2 Jason Haar (Jun 03)
- Re: issue with 2.8.2 Joel Esler (Jun 03)
- Re: issue with 2.8.2 Jason Haar (Jun 03)
- <Possible follow-ups>
- Re: issue with 2.8.2 Jason Haar (Jun 04)
- Re: issue with 2.8.2 Jason Haar (Jun 05)
- Message not available
- Re: issue with 2.8.2 Jason Haar (Jun 05)
- Re: issue with 2.8.2 CunningPike (Jun 09)
- Message not available
- Re: issue with 2.8.2 Joel Esler (Jun 03)