RE: [Snort-users] frag3 alerts
This is a discussion on RE: [Snort-users] frag3 alerts within the Snort forums, part of the System Security and Security Related category; This is my entire frag3 config:=0A= =0A= preprocessor frag3_global: max_frags 65536=0A= preprocessor frag3_engine: policy linux bind_to=0A= [65....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-22-2006
|
|||
|
|||
RE: [Snort-users] frag3 alerts
This is my entire frag3 config:=0A=
=0A= preprocessor frag3_global: max_frags 65536=0A= preprocessor frag3_engine: policy linux bind_to=0A= [65.241.66.7,65.241.66.8,65.241.66.9,65.241.66.12,6 5.241.66.13,65.241.66=0A= ..70]=0A= preprocessor frag3_engine: policy windows bind_to=0A= [65.241.66.15,65.241.66.16,65.241.66.25]=0A= preprocessor frag3_engine: policy first detect_anomalies=0A= =0A= Drew Burchett=0A= United Systems & Software=0A= http://www.united-systems.com=0A= Phone: (270)527-3293=0A= Fax: (270)527-3132=0A= =0A= =0A= > -----Original Message-----=0A= > From: Joel Esler [mailto:joel.esler@sourcefire.com]=0A= > Sent: Monday, May 22, 2006 1:38 PM=0A= > To: Drew Burchett=0A= > Cc: snort-users@lists.sourceforge.net=0A= > Subject: Re: [Snort-users] frag3 alerts=0A= >=20=0A= > -----BEGIN PGP SIGNED MESSAGE-----=0A= > Hash: SHA1=0A= >=20=0A= > How do you have the rest of the frag3 entries set? Or is that the=0A= only=0A= > entry you have?=0A= >=20=0A= > Joel=0A= >=20=0A= > Drew Burchett wrote:=0A= > > Well, I'm pretty sure I've got that set right. The host is running=0A= Suse=0A= > > Linux 10.0 and I've got the configuration set to:=0A= > >=0A= > > preprocessor frag3_engine: policy linux bind_to 65.241.66.12=0A= > >=0A= > > That seemed to be how I should have it set according to the chart in=0A= > > README.frag3.=0A= > >=0A= > > Drew Burchett=0A= > > United Systems & Software=0A= > > http://www.united-systems.com=0A= > > Phone: (270)527-3293=0A= > > Fax: (270)527-3132=0A= > >=0A= > >=0A= > >> -----Original Message-----=0A= > >> From: Joel Esler [mailto:joel.esler@sourcefire.com]=0A= > >> Sent: Monday, May 22, 2006 1:31 PM=0A= > >> To: Drew Burchett=0A= > >> Cc: snort-users@lists.sourceforge.net; rmkml=0A= > >> Subject: Re: [Snort-users] frag3 alerts=0A= > >>=0A= > > Of course. Frag3 is target based (tuned to the OS) of your machine.=0A= > > Therefore you need to create an entry in your snort.conf=0A= specifically=0A= > > tuned to the OS of your DNS server (and any other host on your=0A= > >> network)=0A= > > If you need further help, feel free to email the list or me=0A= > >> personally,=0A= > > however, please review the examples in the snort.conf under the=0A= frag3=0A= > > heading.=0A= > >=0A= > > Joel Esler=0A= > >=0A= > > Drew Burchett wrote:=0A= > >>>>=0A= > >>>> From examining the packet capture, I?ve determined that the=0A= > >> ?offending?=0A= > >>>> traffic is an NXDomain response from a valid root server. It?s=0A= > >> being=0A= > >>>> caused by doing reverse lookups on spam email.=0A= > >>>>=0A= > >>>>=0A= > >>>>=0A= > >>>> However, the question remains, is there any way I can fine tune=0A= the=0A= > >>>> frag3 preprocessor to avoid these false positives?=0A= > >>>>=0A= > >>>>=0A= > >>>>=0A= > >>>> Drew Burchett=0A= > >>>>=0A= > >>>> United Systems & Software=0A= > >>>>=0A= > >>>> http://www.united-systems.com=0A= > >>>>=0A= > >>>> Phone: (270)527-3293=0A= > >>>>=0A= > >>>> Fax: (270)527-3132=0A= > >>>>=0A= > >>>>=0A= > >>>>=0A= > >>>> * From: * snort-users-admin@lists.sourceforge.net=0A= > >>>> [mailto:snort-users-admin@lists.sourceforge.net] *On Behalf Of=0A= *Drew=0A= > >>>> Burchett=0A= > >>>> *Sent:* Monday, May 22, 2006 11:18 AM=0A= > >>>> *To:* snort-users@lists.sourceforge.net=0A= > >>>> *Subject:* [Snort-users] frag3 alerts=0A= > >>>>=0A= > >>>>=0A= > >>>>=0A= > >>>> I am seeing a lot of frag3 Fragmentation overlap alerts with my=0A= DNS=0A= > >>>> server as the destination and a source address that reverses to a=0A= > >> root=0A= > >>>> server. When examining the packets, the traffic seems to be=0A= valid=0A= > >> DNS=0A= > >>>> traffic, although it has nothing to do with any domains that I=0A= host.=0A= > >> Is=0A= > >>>> this some sort of attack, or is it valid traffic that is throwing=0A= > >> false=0A= > >>>> positives? If it is a false positive, is there any way I can=0A= > >> fine-tune=0A= > >>>> the frag3 preprocessor to avoid these?=0A= > >>>>=0A= > >>>>=0A= > >>>>=0A= > >>>> Drew Burchett=0A= > >>>>=0A= > >>>> United Systems & Software=0A= > >>>>=0A= > >>>> http://www.united-systems.com=0A= > >>>>=0A= > >>>> Phone: (270)527-3293=0A= > >>>>=0A= > >>>> Fax: (270)527-3132=0A= > >>>>=0A= > >>>>=0A= > >>>>=0A= > >>>>=0A= > >>>> --=0A= > >>>>=0A= > >>>> CONFIDENTIALITY NOTICE: This e-mail message, including any=0A= > >> attachments,=0A= > >>>> is for the sole use of the intended recipient(s) and may contain=0A= > >>>> confidential and privileged information. Any unauthorized review,=0A= > >> use,=0A= > >>>> disclosure or distribution is prohibited. If you are not the=0A= > >> intended=0A= > >>>> recipient, please contact the sender by reply e-mail and destroy=0A= all=0A= > >>>> copies of the original message.=0A= > >>>>=0A= > >>>>=0A= > >>>> --=0A= > >>>> This message has been scanned for viruses and=0A= > >>>> dangerous content by *MailScanner*=0A= <http://www.mailscanner.info/>*,=0A= > >> and=0A= > > is=0A= > >>>> believed to be clean.=0A= > >>>> -- *=0A= > >>>>=0A= > >>>> *CONFIDENTIALITY NOTICE: This e-mail message, including any=0A= > >> attachments,=0A= > >>>> is for the sole use of the intended recipient(s) and may contain=0A= > >>>> confidential and privileged information. Any unauthorized review,=0A= > >> use,=0A= > >>>> disclosure or distribution is prohibited. If you are not the=0A= > >> intended=0A= > >>>> recipient, please contact the sender by reply e-mail and destroy=0A= all=0A= > >>>> copies of the original message. *=0A= > >>>>=0A= > >>>> *=0A= > >>>> --=0A= > >>>> This message has been scanned for viruses and=0A= > >>>> dangerous content by *MailScanner*=0A= <http://www.mailscanner.info/>,=0A= > >> and=0A= > > is=0A= > >>>> believed to be clean. *=0A= >=20=0A= > > --=0A= > > CONFIDENTIALITY NOTICE: This e-mail message, including any=0A= attachments,=0A= > is for the sole use of the intended recipient(s) and may contain=0A= > confidential and privileged information. Any unauthorized review, use,=0A= > disclosure or distribution is prohibited. If you are not the intended=0A= > recipient, please contact the sender by reply e-mail and destroy all=0A= > copies of the original message.=0A= >=20=0A= > -----BEGIN PGP SIGNATURE-----=0A= > Version: GnuPG v1.4.3 (Darwin)=0A= > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org=0A= >=20=0A= > iD8DBQFEcgUDKbCSyXHckt4RAoTtAJ90GOaIdc/J5c7BrdQKI/zXb7mgygCfXGSI=0A= > b7QvWUZeaKLTfbe6I0usa0k=3D=0A= > =3D/rr2=0A= > -----END PGP SIGNATURE-----=0A= =0A= =0A= --=0A= CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is = for the sole use of the intended recipient(s) and may contain confidential = and privileged information. Any unauthorized review, use, disclosure or dis= tribution is prohibited. If you are not the intended recipient, please cont= act the sender by reply e-mail and destroy all copies of the original messa= ge.=0A= =0A= --=20=0A= This message has been scanned for viruses and dangerous content by MailScan= ner and is believed to be clean.=0A= =0A= ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
