[Oisf-users] Strange results when standalone hosts are monitored
carlopmart
carlopmart at gmail.com
Wed Apr 13 20:37:07 UTC 2011
On 04/12/2011 08:35 PM, carlopmart wrote:
> On 04/12/2011 06:28 PM, carlopmart wrote:
>> Hi all,
>>
>> I have a strange issue when I try to define HOME_NET variable to monitor
>> only four hosts with suricata.
>>
>> Suricata is configured to sniff on a bridge interface that intercepts
>> all traffic destined to these four hosts.
>>
>> My test consists in launch a scan with nmap command (nmap -n -sV
>> 172.25.50.10).
>>
>> a) First test: $HOME_NET defined as "any" and EXTERNAL_NET defined as
>> "any". Result: several alerts are fired like these:
>>
>> 04/12-11:13:43.568003 [**] [1:2010937:2] ET POLICY Suspicious inbound to
>> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
>> [Priority: 2] {TCP} 172.25.50.30:58028 -> 172.25.50.10:3306
>> 04/12-11:13:43.569729 [**] [1:2010936:2] ET POLICY Suspicious inbound to
>> Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic]
>> [Priority: 2] {TCP} 172.25.50.30:39087 -> 172.25.50.10:1521
>> 04/12-11:13:43.579746 [**] [1:2002911:4] ET SCAN Potential VNC Scan
>> 5900-5920 [**] [Classification: Attempted Information Leak] [Priority:
>> 2] {TCP} 172.25.50.30:54960 -> 172.25.50.10:5902
>> 04/12-11:13:43.580973 [**] [1:2010935:2] ET POLICY Suspicious inbound to
>> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
>> [Priority: 2] {TCP} 172.25.50.30:48312 -> 172.25.50.10:1433
>> 04/12-11:13:43.584373 [**] [1:2010939:2] ET POLICY Suspicious inbound to
>> PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic]
>> [Priority: 2] {TCP} 172.25.50.30:43791 -> 172.25.50.10:5432
>> 04/12-11:13:49.678140 [**] [1:257:9] GPL DNS named version attempt [**]
>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
>> 172.25.50.30:59459 -> 172.25.50.10:53
>>
>>
>> b) Second test: $HOME_NET defined with four IPs
>> "[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
>>
>> and EXTERNAL_NET as "!$HOME_NET". Result: nothing.
>>
>> c) Third test: $HOME_NET defined as
>> "[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
>>
>> and EXTERNAL_NET as "any". Result: nothing.
>>
>> Why?? Is this normal??
>>
>> Thanks.
>
> Nothing??
>
Ok, more info. Using suricata1.1beta2, results are the same. But using
suricata 1.0.3, all three tests works.
Any ideas??
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Oisf-users
mailing list