Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Blocking virus with snort inline 2.6.1.5 (more info)

from [carlopmart] Network Security [Permanent Link]
Subject: Re: [Snort-users] Blocking virus with snort inline 2.6.1.5 (more info)
Date: Mon, 24 Sep 2007 23:45:18 +0200 
I don't know if this alerts are the problem that blocking virus doesn't 
works:

Alert fast:

09/24-23:35:36.552845  [**] [116:54:1] (snort_decoder): Tcp Options 
found with bad lengths [**] {TCP} 172.25.50.14:45593 -> 199.107.65.177:80
09/24-23:35:37.112159  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:60411 -> 199.107.65.177:80
09/24-23:35:37.124876  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:34559 -> 199.107.65.177:80
09/24-23:35:37.125065  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:54752 -> 199.107.65.177:80
09/24-23:35:37.136889  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:44043 -> 199.107.65.177:80
09/24-23:35:37.660954  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:50164 -> 199.107.65.177:80
09/24-23:35:37.661335  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:45792 -> 199.107.65.177:80
09/24-23:35:37.661419  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:34748 -> 199.107.65.177:80
09/24-23:35:38.016954  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:41005 -> 199.107.65.177:80
09/24-23:35:38.043750  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:53810 -> 199.107.65.177:80
09/24-23:35:38.064012  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:34920 -> 199.107.65.177:80
09/24-23:35:38.236928  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:42299 -> 199.107.65.177:80
09/24-23:35:38.380886  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:56311 -> 199.107.65.177:80
09/24-23:35:38.413736  [**] [116:55:1] (snort_decoder): Truncated Tcp 
Options [**] {TCP} 172.25.50.14:57794 -> 199.107.65.177:80

And an example of alert full:

[**] [116:55:1] (snort_decoder): Truncated Tcp Options [**]
09/24-23:35:38.413736 172.25.50.14:57794 -> 199.107.65.177:80
TCP TTL:64 TOS:0x0 ID:35866 IpLen:20 DgmLen:60 DF
******S* Seq: 0x654BB2F  Ack: 0x0  Win: 0x16D0  TcpLen: 40

And sticky log:

Dropped 09/24-23:34:44.812049  UDP 192.55.83.30:53->172.25.50.1:53
Dropped 09/24-23:34:46.468960  UDP 172.25.50.1:53->199.7.66.1:53
Dropped 09/24-23:34:46.469292  UDP 172.25.50.1:53->192.54.112.30:53
Dropped 09/24-23:34:48.473058  UDP 172.25.50.1:53->192.43.172.30:53
Dropped 09/24-23:34:50.473168  UDP 172.25.50.1:53->198.133.199.11:53
Dropped 09/24-23:34:54.477573  UDP 172.25.50.1:53->192.100.59.11:53
Dropped 09/24-23:34:56.481514  UDP 172.25.50.1:53->204.74.112.1:53
Dropped 09/24-23:35:01.485849  UDP 172.25.50.1:53->199.7.67.1:53
Dropped 09/24-23:35:02.458473  UDP 172.25.50.1:53->192.100.59.11:53
Dropped 09/24-23:35:04.462060  UDP 172.25.50.1:53->204.74.112.1:53
Dropped 09/24-23:35:09.466323  UDP 172.25.50.1:53->199.7.67.1:53

Blocks all DNS queries .... I don't understand nothing ... Please, can 
somebody helps me?? I need to put this IDS in production environment on 
a week and i need to do more and more tests ....

Thanks ....


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Blocking virus with snort inline 2.6.1.5, carlopmart
Next by Date:  Re: [Snort-users] New Installation, abdelmajid lakbabi
Previous by Thread:  Re: [Snort-users] Blocking virus with snort inline 2.6.1.5, carlopmart
Next by Thread:  [Snort-users] New Installation, Rachid Abdelkhalak
Indexes:  [Date] [Thread] [Top] [All Lists]