[Oisf-users] Strange results when standalone hosts are monitored

carlopmart carlopmart at gmail.com
Tue Apr 12 18:35:42 UTC 2011


On 04/12/2011 06:28 PM, carlopmart wrote:
> Hi all,
>
> I have a strange issue when I try to define HOME_NET variable to monitor
> only four hosts with suricata.
>
> Suricata is configured to sniff on a bridge interface that intercepts
> all traffic destined to these four hosts.
>
> My test consists in launch a scan with nmap command (nmap -n -sV
> 172.25.50.10).
>
> a) First test: $HOME_NET defined as "any" and EXTERNAL_NET defined as
> "any". Result: several alerts are fired like these:
>
> 04/12-11:13:43.568003 [**] [1:2010937:2] ET POLICY Suspicious inbound to
> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {TCP} 172.25.50.30:58028 -> 172.25.50.10:3306
> 04/12-11:13:43.569729 [**] [1:2010936:2] ET POLICY Suspicious inbound to
> Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {TCP} 172.25.50.30:39087 -> 172.25.50.10:1521
> 04/12-11:13:43.579746 [**] [1:2002911:4] ET SCAN Potential VNC Scan
> 5900-5920 [**] [Classification: Attempted Information Leak] [Priority:
> 2] {TCP} 172.25.50.30:54960 -> 172.25.50.10:5902
> 04/12-11:13:43.580973 [**] [1:2010935:2] ET POLICY Suspicious inbound to
> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {TCP} 172.25.50.30:48312 -> 172.25.50.10:1433
> 04/12-11:13:43.584373 [**] [1:2010939:2] ET POLICY Suspicious inbound to
> PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {TCP} 172.25.50.30:43791 -> 172.25.50.10:5432
> 04/12-11:13:49.678140 [**] [1:257:9] GPL DNS named version attempt [**]
> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
> 172.25.50.30:59459 -> 172.25.50.10:53
>
>
> b) Second test: $HOME_NET defined with four IPs
> "[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
> and EXTERNAL_NET as "!$HOME_NET". Result: nothing.
>
> c) Third test: $HOME_NET defined as
> "[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
> and EXTERNAL_NET as "any". Result: nothing.
>
> Why?? Is this normal??
>
> Thanks.

Nothing??

-- 
CL Martinez
carlopmart {at} gmail {d0t} com



More information about the Oisf-users mailing list