[Oisf-users] Strange results when standalone hosts are monitored
carlopmart
carlopmart at gmail.com
Tue Apr 12 12:28:25 EDT 2011
Hi all,
I have a strange issue when I try to define HOME_NET variable to
monitor only four hosts with suricata.
Suricata is configured to sniff on a bridge interface that intercepts
all traffic destined to these four hosts.
My test consists in launch a scan with nmap command (nmap -n -sV
172.25.50.10).
a) First test: $HOME_NET defined as "any" and EXTERNAL_NET defined as
"any". Result: several alerts are fired like these:
04/12-11:13:43.568003 [**] [1:2010937:2] ET POLICY Suspicious inbound
to mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 172.25.50.30:58028 -> 172.25.50.10:3306
04/12-11:13:43.569729 [**] [1:2010936:2] ET POLICY Suspicious inbound
to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 172.25.50.30:39087 -> 172.25.50.10:1521
04/12-11:13:43.579746 [**] [1:2002911:4] ET SCAN Potential VNC Scan
5900-5920 [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP} 172.25.50.30:54960 -> 172.25.50.10:5902
04/12-11:13:43.580973 [**] [1:2010935:2] ET POLICY Suspicious inbound
to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 172.25.50.30:48312 -> 172.25.50.10:1433
04/12-11:13:43.584373 [**] [1:2010939:2] ET POLICY Suspicious inbound
to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 172.25.50.30:43791 -> 172.25.50.10:5432
04/12-11:13:49.678140 [**] [1:257:9] GPL DNS named version attempt
[**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
172.25.50.30:59459 -> 172.25.50.10:53
b) Second test: $HOME_NET defined with four IPs
"[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
and EXTERNAL_NET as "!$HOME_NET". Result: nothing.
c) Third test: $HOME_NET defined as
"[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
and EXTERNAL_NET as "any". Result: nothing.
Why?? Is this normal??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Oisf-users
mailing list