Snort mailing list archives
Re: ICMP rule triggered by UDP packet
From: "Kern, Daniel P. x1449" <KernDP () co monterey ca us>
Date: Wed, 6 Feb 2013 07:12:44 -0800
DOH! Stupid me for relying purely on Sguil's packet text only. The packet says "Teredo IPv6 over UDP tunneling". Internet Control Message Protocol v6 is listed too. The packet is attached. I don't know much about IPv6 packets. I guess what is confusing is the basics of why the rule would pop at all if the source IP is in $LEGIT_SRC? Or does ICMPv6 cause Snort to act differently? Running Snort 2.9.4, Barnyard Version 0.2.0 (Build 32), and Sguil 0.8.0. Thanks for your insight! --Dan -----Original Message----- From: Castle, Shane [mailto:scastle () bouldercounty org] Sent: Tuesday, February 05, 2013 2:54 PM To: Kern, Daniel P. x1449; 'snort-users () lists sourceforge net' Cc: 193-IDS Admin Subject: RE: ICMP rule triggered by UDP packet Hmm - well, I'd first fall back to the complete packet, if possible - this one seems to have the IPv4 and other headers stripped off. You also don't say what version of Snort you are running, or anything about your configuration. Can you supply a complete pcap? -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: Kern, Daniel P. x1449 [mailto:KernDP () co monterey ca us] Sent: Tuesday, February 05, 2013 14:40 To: 'snort-users () lists sourceforge net' Cc: 193-IDS Admin Subject: [Snort-users] ICMP rule triggered by UDP packet Hello everyone, This one has baffled me for awhile, so I thought I'd submit this to the group, as I may be missing something obvious. Here's the rule: alert icmp !$LEGIT_SRC any -> any any (msg:"LOCAL Illegitimate ICMP traffic"; detection_filter:track by_src, count 1, seconds 60; classtype:unusual-client-port-connection; sid:10002161; rev:2; ) It generally works fine. However, here's one packet that pops below. A UDP packet! 172.25.7.8 is in $LEGIT_SRC and it doesn't make any difference, the rule still pops. ------------------------------------------------------------------------ Count:90 Event#4.273137 2013-02-05 18:29:35 LOCAL Illegitimate ICMP traffic 172.25.7.8 -> 157.56.106.184 IPVer=4 hlen=5 tos=0 dlen=89 ID=41995 flags=0 offset=0 ttl=255 chksum=23670 Protocol: 17 sport=30811 -> dport=3544 len=69 chksum=37658 Payload: 00 01 00 00 52 1C 58 31 5D 86 5D 94 00 60 00 00 ....R.X1].]..`.. 00 00 08 3A FF FE 80 00 00 00 00 00 00 00 00 FF ...:............ FF FF FF FF FE FF 02 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 02 85 00 7D 38 00 00 00 00 .......}8.... Any thoughts? Thanks for any insight! --Dan
Attachment:
packet.pdf
Description: packet.pdf
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ICMP rule triggered by UDP packet Kern, Daniel P. x1449 (Feb 05)
- Re: ICMP rule triggered by UDP packet Castle, Shane (Feb 05)
- Re: ICMP rule triggered by UDP packet Kern, Daniel P. x1449 (Feb 06)
- Re: ICMP rule triggered by UDP packet Castle, Shane (Feb 05)