OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Green (cmgsourcefire.com)
Date: Tue Jun 04 2002 - 09:29:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jesus Couto <jesus.coutosatec.es> writes:

    > Hi,
    >
    > This is the setup: A RH 7.2 machine running snort 1.8.6, 2 interfaces,
    > the one we are listening to eth1 connected to a hub with another 2
    > machines, 192.168.100.1 (the "attacker") and 192.168.100.3 (the
    > "victim").
    >
    > Problem: Launching some simple portscanning attacks like
    >
    > nmap -sT -p 1-40000 -r 192.168.100.3
    >
    > from the attacker machine gets reported as "MISC source route lssr" by
    > snort in IDS mode, and after reporting the first 3000-4000 events,
    > snort hangs completly.

    Hrm odd. Using 1.8.7-current

    06/04-10:26:16.307146 [**] [1:469:1] ICMP PING NMAP [**]
    [Classification: Attempted Information Leak] [Priority: 2] {ICMP}
    10.1.1.52 -> 10.1.1.72

    06/04-10:26:16.627530 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 10.1.1.52 (THRESHOLD 4 connections exceeded in 0 seconds) [**]
    06/04-10:26:16.712279 [**] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.1.52:57906 -> 10.1.1.72:1080
    06/04-10:26:17.409593 [**] [1:620:2] SCAN Proxy (8080) attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.1.52:64906 -> 10.1.1.72:8080
    06/04-10:26:18.567241 [**] [1:249:1] DDOS mstream client to handler [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 10.1.1.52:55573 -> 10.1.1.72:15104
    06/04-10:26:20.158005 [**] [100:2:1] spp_portscan: portscan status from 10.1.1.52: 4808 connections across 1 hosts: TCP(4808), UDP(0) [**]
    >
    > Not only the packets dont have the lssr option anywhere, as checked by
    > using Ethereal, but snort in sniffer mode also shows them to be
    > without options, and the logging of the packets by snort at the ACID
    > console shows the packet having a few other options (TS) but nothing
    > about source routing.
    >
    > Any ideas? If more info is needed to debug it just tell me what you
    > need.

    Send me a pcap of this scan happening if you would please if snort
    hangs up again. .... Mostly ok here... 

    -- 
Chris Green <cmgsourcefire.com>
To err is human, to moo bovine.

    _______________________________________________________________

    Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users