Snort mailing list archives

Re: Anyone else seeing lots of 129 20 this am?

From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 31 Aug 2019 02:49:32 +0000

Maybe it was just added to the preprocessor.rules then?   That makes sense. 

Sent from my  iPhone

On Aug 30, 2019, at 16:30, James Lay via Snort-users <snort-users () lists snort org> wrote:


So judging by the lack of sid 20 in my gen-msg.map:
 
<2019-08-30 14_18_14-ids.png>
 
I'm betting this is a new-ish stream5 rule?  I don't have 120:18 either...thanks Joel.
 
James

On 2019-08-30 13:55, Joel Esler (jesler) via Snort-users wrote:
We don’t make changes to preprocess it’s in a rule update. It’s
possible that this alert may not have been included in the past and we
just introduced it.  That’s a possibility.  But we didn’t change
any code with this release.  

Sent from my  iPhone

On Aug 30, 2019, at 15:42, Daniel Rieille <dan.rieille () gmail com>
wrote:



That's what we did.
We got more than 250k of them today. Sguil server died. We had to
delete those 250k alerts before being able to restart it
successfully...

Le ven. 30 août 2019 à 21:32, Joel Esler (jesler) via Snort-users
<snort-users () lists snort org> a écrit :

As you all know, however, that is a preprocessor alert.  It may be
as simple as shutting that preprocessor rule off?

On 8/30/19, 2:17 PM, "Snort-users on behalf of Michael Steele"
<snort-users-bounces () lists snort org on behalf of
michaels () winsnort com> wrote:

I noticed that too on the last Snort update. Getting a LOT
more alerts. I also updated the rules at the same time and never
went back to the old rules to see if that was where the change
came in?

WINSNORT.com Management Team Member
--
********************************************************
*     Since 2002 ~~ Visit http://www.winsnort.com
*      ~~ FREE Windows installation Tutorials ~~
*              ~~ FREE Support Forums ~~
* Snort: Open Source Network IDS - http://www.snort.org
********************************************************

-----Original Message-----
From: Snort-users <snort-users-bounces () lists snort org> On
Behalf Of James Lay via Snort-users
Sent: Friday, August 30, 2019 11:26 AM
To: Joel Esler (jesler) <jesler () cisco com>
Cc: Snort <snort-users () lists snort org>
Subject: Re: [Snort-users] Anyone else seeing lots of 129 20
this am?

Something as in snort ;)  Same traffic, a LOT more alerts
right after updates.

On 2019-08-30 09:23, Joel Esler (jesler) wrote:
When you say "something changed", do you mean "Snort"

changed.  Or


"attacker behavior" may be changing?

On Aug 30, 2019, at 8:13 AM, James Lay via Snort-users
<snort-users () lists snort org> wrote:

Yea something changed....I run ssh on a non-standard port

and now I'm

seeing:

[120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server

response before

client request

after updating rules this AM:

Aug 30 01:10:22 snort[31692]: Decoding Ethernet Aug 30

01:17:53

snort[31692]: [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP

server

response before client request

that http_inspect hit rule is the first time I've seen that

in my

logs....ever 😉

James

On Fri, 2019-08-30 at 06:05 -0600, James Lay via

Snort-users wrote:

Seeing massive amounts of [129:20:1] TCP session without

3-way

handshake this morning....seems to be firing off on RST

packets.


James

<Screenshot from 2019-08-30 06-05-03.png>

_______________________________________________

Snort-users mailing list

Snort-users () lists snort org

Go to this URL to change user options or unsubscribe:

https://lists.snort.org/mailman/listinfo/snort-users

To unsubscribe, send an email to:

snort-users-leave () lists snort org

Please visit http://blog.snort.org [1] to stay current on

all the

latest Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

To unsubscribe, send an email to:
snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all

the latest

Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette




Links:
------
[1] http://blog.snort.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

To unsubscribe, send an email to:
snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the
latest Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

To unsubscribe, send an email to:
snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the
latest Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

To unsubscribe, send an email to:
snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the
latest Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

    To unsubscribe, send an email to:
    snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

   To unsubscribe, send an email to:
   snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Attachment: smime.p7s
Description:

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: Anyone else seeing lots of 129 20 this am?, (continued)
- - - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? Michael Steele (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 02)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)

(Thread continues...)