[Snort-users] Curious "Tagged Packet" alerts in ACID
This is a discussion on [Snort-users] Curious "Tagged Packet" alerts in ACID within the Snort forums, part of the System Security and Security Related category; I am getting a rather high (top 5) number of alerts showing up in ACID displaying as simply "Tagged ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-01-2005
|
|||
|
|||
[Snort-users] Curious "Tagged Packet" alerts in ACID
I am getting a rather high (top 5) number of alerts showing up in ACID
displaying as simply "Tagged Packet" and having an sid=1, e.g.: > [snort] Tagged Packet unclassified 7118 (24%) 1 2 2 2004-12-31 18:02:59 2004-12-31 19:27:17 The URL given for reference is simply: http://www.snort.org/snort-db/sid.html?sid=1 Here is a sample whole formatted alert: > Generated by ACID v0.9.6b23 on Fri, 31 Dec 2004 20:34:30 -0500 > > ------------------------------------------------------------------------------ > #(1 - 805067) [2004-12-31 18:47:28] [snort/1] Tagged Packet > IPv4: 64.12.165.56 -> 172.17.128.101 > hlen=5 TOS=0 dlen=152 ID=47551 flags=0 offset=0 TTL=51 chksum=31717 > TCP: port=7012 -> dport: 4618 flags=***AP*** seq=1474874013 > ack=1336104986 off=5 res=0 win=5840 urp=0 chksum=2798 > Payload: length = 112 > > 000 : 3A 4C 6F 75 69 73 61 21 4C 6F 75 69 73 61 40 43 :Louisa!Louisa@C > 010 : 42 35 45 36 43 30 30 2E 38 33 42 30 31 38 37 31 B5E6C00.83B01871 > 020 : 2E 42 36 44 45 36 36 34 39 2E 49 50 20 50 52 49 .B6DE6649.IP PRI > 030 : 56 4D 53 47 20 23 65 6E 67 6C 69 73 68 20 3A 6E VMSG #english :n > 040 : 6F 62 6F 64 79 20 77 69 6C 6C 20 67 6F 20 6F 75 obody will go ou > 050 : 74 20 74 6F 20 63 65 6C 65 62 72 61 74 65 20 74 t to celebrate t > 060 : 68 65 20 6E 65 77 20 79 65 61 72 3F 3F 0D 0A 00 he new year??... Where is this coming from? I can't find a rule, only a mapping: > [root@aardvark snort]# grep Tagged ./* > ./gen-msg.map:2 || 1 || tag: Tagged Packet This is snort 2.2.0 Build 30 with freshly oinkmaster'ed rulesets from: www.snort.org/dl/rules/snortrules-stable.tar.gz and www.bleedingsnort.com/bleeding.rules.tar.gz These seemed to start about the time I added the bleedingsnort rules, but this may just be a coincidence. Jeff ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
