[Emerging-Sigs] very curious FP 2001984
Thierry CHICH
thierry.chich at ac-clermont.fr
Thu Jul 10 10:49:20 EDT 2008
This is the alert I am complaining about:
alert tcp any any <> any !$SSH_PORTS (msg:"ET POLICY SSH session in progress
on Unusual Port"; flowbits: isset,is_proto_ssh; threshold: type both, track
by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001984; rev:5;)
You can see that SSH_PORTS is correctly defined :
$ grep SSH_PORTS /etc/snort/snort.conf
var SSH_PORTS 22
But I have a lot of alerts like this one :
[**] [1:2001984:5] ET POLICY SSH session in progress on Unusual Port [**]
[Classification: Misc activity] [Priority: 3]
07/10-16:43:50.537601 y.y.y.y:22 -> x.x.x.x:54725
TCP TTL:64 TOS:0x0 ID:20725 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x989BB067 Ack: 0x19E442AC Win: 0x7D4 TcpLen: 20
Doesn't make sense for me.
--
Thierry CHICH
Equipe Réseaux / Rectorat de Clermont-Ferrand
Tel: +33 4 73 99 30 54
More information about the Emerging-sigs
mailing list