[Oisf-users] Strange results when standalone hosts are monitored

carlopmart carlopmart at gmail.com
Tue Apr 19 09:15:01 UTC 2011 

On 04/19/2011 09:01 AM, Victor Julien wrote:
> On 04/13/2011 10:37 PM, carlopmart wrote:
>> On 04/12/2011 08:35 PM, carlopmart wrote:
>>> On 04/12/2011 06:28 PM, carlopmart wrote:
>>>> Hi all,
>>>>
>>>> I have a strange issue when I try to define HOME_NET variable to monitor
>>>> only four hosts with suricata.
>>>>
>>>> Suricata is configured to sniff on a bridge interface that intercepts
>>>> all traffic destined to these four hosts.
>>>>
>>>> My test consists in launch a scan with nmap command (nmap -n -sV
>>>> 172.25.50.10).
>>>>
>>>> a) First test: $HOME_NET defined as "any" and EXTERNAL_NET defined as
>>>> "any". Result: several alerts are fired like these:
>>>>
>>>> 04/12-11:13:43.568003 [**] [1:2010937:2] ET POLICY Suspicious inbound to
>>>> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
>>>> [Priority: 2] {TCP} 172.25.50.30:58028 ->  172.25.50.10:3306
>>>> 04/12-11:13:43.569729 [**] [1:2010936:2] ET POLICY Suspicious inbound to
>>>> Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic]
>>>> [Priority: 2] {TCP} 172.25.50.30:39087 ->  172.25.50.10:1521
>>>> 04/12-11:13:43.579746 [**] [1:2002911:4] ET SCAN Potential VNC Scan
>>>> 5900-5920 [**] [Classification: Attempted Information Leak] [Priority:
>>>> 2] {TCP} 172.25.50.30:54960 ->  172.25.50.10:5902
>>>> 04/12-11:13:43.580973 [**] [1:2010935:2] ET POLICY Suspicious inbound to
>>>> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
>>>> [Priority: 2] {TCP} 172.25.50.30:48312 ->  172.25.50.10:1433
>>>> 04/12-11:13:43.584373 [**] [1:2010939:2] ET POLICY Suspicious inbound to
>>>> PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic]
>>>> [Priority: 2] {TCP} 172.25.50.30:43791 ->  172.25.50.10:5432
>>>> 04/12-11:13:49.678140 [**] [1:257:9] GPL DNS named version attempt [**]
>>>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
>>>> 172.25.50.30:59459 ->  172.25.50.10:53
>>>>
>>>>
>>>> b) Second test: $HOME_NET defined with four IPs
>>>> "[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
>>>>
>>>> and EXTERNAL_NET as "!$HOME_NET". Result: nothing.
>>>>
>>>> c) Third test: $HOME_NET defined as
>>>> "[172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32]"
>>>>
>>>> and EXTERNAL_NET as "any". Result: nothing.
>>>>
>>>> Why?? Is this normal??
>>>>
>>>> Thanks.
>>>
>>> Nothing??
>>>
>>
>> Ok, more info. Using suricata1.1beta2, results are the same. But using
>> suricata 1.0.3, all three tests works.
>>
>> Any ideas??
>
> We've opened a ticket here:
> https://redmine.openinfosecfoundation.org/issues/284
>
> Cheers,
> Victor
>

Thanks Victor.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list