[Emerging-Sigs] very curious FP 2001984
Jack Pepper
pepperjack at afferentsecurity.com
Thu Jul 10 10:58:10 EDT 2008
We either need to add a "flow" direction or change the ports field
from "any" to "!$SSH_PORTS"
jp
Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
> This is the alert I am complaining about:
>
> alert tcp any any <> any !$SSH_PORTS (msg:"ET POLICY SSH session in progress
> on Unusual Port"; flowbits: isset,is_proto_ssh; threshold: type both, track
> by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001984; rev:5;)
>
> You can see that SSH_PORTS is correctly defined :
> $ grep SSH_PORTS /etc/snort/snort.conf
> var SSH_PORTS 22
>
>
> But I have a lot of alerts like this one :
>
> [**] [1:2001984:5] ET POLICY SSH session in progress on Unusual Port [**]
> [Classification: Misc activity] [Priority: 3]
> 07/10-16:43:50.537601 y.y.y.y:22 -> x.x.x.x:54725
> TCP TTL:64 TOS:0x0 ID:20725 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x989BB067 Ack: 0x19E442AC Win: 0x7D4 TcpLen: 20
>
> Doesn't make sense for me.
>
>
> --
> Thierry CHICH
> Equipe Réseaux / Rectorat de Clermont-Ferrand
> Tel: +33 4 73 99 30 54
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list