[Oisf-users] Strange results when standalone hosts are monitored

Victor Julien victor at inliniac.net
Tue Apr 19 07:01:38 UTC 2011 

On 04/13/2011 10:37 PM, carlopmart wrote:
> On 04/12/2011 08:35 PM, carlopmart wrote:
>> On 04/12/2011 06:28 PM, carlopmart wrote:
>>> Hi all,
>>>
>>> I have a strange issue when I try to define HOME_NET variable to monitor
>>> only four hosts with suricata.
>>>
>>> Suricata is configured to sniff on a bridge interface that intercepts
>>> all traffic destined to these four hosts.
>>>
>>> My test consists in launch a scan with nmap command (nmap -n -sV
>>> 172.25.50.10).
>>>
>>> a) First test: $HOME_NET defined as "any" and EXTERNAL_NET defined as
>>> "any". Result: several alerts are fired like these:
>>>
>>> 04/12-11:13:43.568003 [**] [1:2010937:2] ET POLICY Suspicious inbound to
>>> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
>>> [Priority: 2] {TCP} 172.25.50.30:58028 -> 172.25.50.10:3306
>>> 04/12-11:13:43.569729 [**] [1:2010936:2] ET POLICY Suspicious inbound to
>>> Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic]
>>> [Priority: 2] {TCP} 172.25.50.30:39087 -> 172.25.50.10:1521
>>> 04/12-11:13:43.579746 [**] [1:2002911:4] ET SCAN Potential VNC Scan
>>> 5900-5920 [**] [Classification: Attempted Information Leak] [Priority:
>>> 2] {TCP} 172.25.50.30:54960 -> 172.25.50.10:5902
>>> 04/12-11:13:43.580973 [**] [1:2010935:2] ET POLICY Suspicious inbound to
>>> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
>>> [Priority: 2] {TCP} 172.25.50.30:48312 -> 172.25.50.10:1433
>>> 04/12-11:13:43.584373 [**] [1:2010939:2] ET POLICY Suspicious inbound to
>>> PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic]
>>> [Priority: 2] {TCP} 172.25.50.30:43791 -> 172.25.50.10:5432
>>> 04/12-11:13:49.678140 [**] [1:257:9] GPL DNS named version attempt [**]
>>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
>>> 172.25.50.30:59459 -> 172.25.50.10:53
>>>
>>>
>>> b) Second test: $HOME_NET defined with four IPs
>>> "[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
>>>
>>> and EXTERNAL_NET as "!$HOME_NET". Result: nothing.
>>>
>>> c) Third test: $HOME_NET defined as
>>> "[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
>>>
>>> and EXTERNAL_NET as "any". Result: nothing.
>>>
>>> Why?? Is this normal??
>>>
>>> Thanks.
>>
>> Nothing??
>>
> 
> Ok, more info. Using suricata1.1beta2, results are the same. But using 
> suricata 1.0.3, all three tests works.
> 
> Any ideas??

We've opened a ticket here:
https://redmine.openinfosecfoundation.org/issues/284

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list