[Oisf-users] nmap , alert stand alone hosts issue
Peter Manev
petermanev at gmail.com
Tue Apr 19 20:20:44 UTC 2011
My results are the same as Carlo's - using his scenario.
If this is an issue it seems to be a separate one from the
https://redmine.openinfosecfoundation.org/issues/284
The rules that fire up are located in :
emerging-policy.rules
emerging-scan.rules
HOWEVER
@Carlo - what is the IP that you launch the nmap scan from (in the very same
scenario that you reported)?
thanks
On Tue, Apr 19, 2011 at 6:00 PM, <
oisf-users-request at openinfosecfoundation.org> wrote:
> Send Oisf-users mailing list submissions to
> oisf-users at openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> or, via email, send a message with subject or body 'help' to
> oisf-users-request at openinfosecfoundation.org
>
> You can reach the person managing the list at
> oisf-users-owner at openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Strange results when standalone hosts are monitored
> (Victor Julien)
> 2. Re: Strange results when standalone hosts are monitored
> (carlopmart)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 19 Apr 2011 09:01:38 +0200
> From: Victor Julien <victor at inliniac.net>
> Subject: Re: [Oisf-users] Strange results when standalone hosts are
> monitored
> To: oisf-users at openinfosecfoundation.org
> Message-ID: <4DAD3352.30205 at inliniac.net>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 04/13/2011 10:37 PM, carlopmart wrote:
> > On 04/12/2011 08:35 PM, carlopmart wrote:
> >> On 04/12/2011 06:28 PM, carlopmart wrote:
> >>> Hi all,
> >>>
> >>> I have a strange issue when I try to define HOME_NET variable to
> monitor
> >>> only four hosts with suricata.
> >>>
> >>> Suricata is configured to sniff on a bridge interface that intercepts
> >>> all traffic destined to these four hosts.
> >>>
> >>> My test consists in launch a scan with nmap command (nmap -n -sV
> >>> 172.25.50.10).
> >>>
> >>> a) First test: $HOME_NET defined as "any" and EXTERNAL_NET defined as
> >>> "any". Result: several alerts are fired like these:
> >>>
> >>> 04/12-11:13:43.568003 [**] [1:2010937:2] ET POLICY Suspicious inbound
> to
> >>> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
> >>> [Priority: 2] {TCP} 172.25.50.30:58028 -> 172.25.50.10:3306
> >>> 04/12-11:13:43.569729 [**] [1:2010936:2] ET POLICY Suspicious inbound
> to
> >>> Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic]
> >>> [Priority: 2] {TCP} 172.25.50.30:39087 -> 172.25.50.10:1521
> >>> 04/12-11:13:43.579746 [**] [1:2002911:4] ET SCAN Potential VNC Scan
> >>> 5900-5920 [**] [Classification: Attempted Information Leak] [Priority:
> >>> 2] {TCP} 172.25.50.30:54960 -> 172.25.50.10:5902
> >>> 04/12-11:13:43.580973 [**] [1:2010935:2] ET POLICY Suspicious inbound
> to
> >>> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
> >>> [Priority: 2] {TCP} 172.25.50.30:48312 -> 172.25.50.10:1433
> >>> 04/12-11:13:43.584373 [**] [1:2010939:2] ET POLICY Suspicious inbound
> to
> >>> PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic]
> >>> [Priority: 2] {TCP} 172.25.50.30:43791 -> 172.25.50.10:5432
> >>> 04/12-11:13:49.678140 [**] [1:257:9] GPL DNS named version attempt [**]
> >>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
> >>> 172.25.50.30:59459 -> 172.25.50.10:53
> >>>
> >>>
> >>> b) Second test: $HOME_NET defined with four IPs
> >>> "[
> 172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32
> ]"
> >>>
> >>> and EXTERNAL_NET as "!$HOME_NET". Result: nothing.
> >>>
> >>> c) Third test: $HOME_NET defined as
> >>> "[
> 172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32
> ]"
> >>>
> >>> and EXTERNAL_NET as "any". Result: nothing.
> >>>
> >>> Why?? Is this normal??
> >>>
> >>> Thanks.
> >>
> >> Nothing??
> >>
> >
> > Ok, more info. Using suricata1.1beta2, results are the same. But using
> > suricata 1.0.3, all three tests works.
> >
> > Any ideas??
>
> We've opened a ticket here:
> https://redmine.openinfosecfoundation.org/issues/284
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 19 Apr 2011 11:15:01 +0200
> From: carlopmart <carlopmart at gmail.com>
> Subject: Re: [Oisf-users] Strange results when standalone hosts are
> monitored
> To: oisf-users at openinfosecfoundation.org
> Message-ID: <4DAD5295.2030706 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 04/19/2011 09:01 AM, Victor Julien wrote:
> > On 04/13/2011 10:37 PM, carlopmart wrote:
> >> On 04/12/2011 08:35 PM, carlopmart wrote:
> >>> On 04/12/2011 06:28 PM, carlopmart wrote:
> >>>> Hi all,
> >>>>
> >>>> I have a strange issue when I try to define HOME_NET variable to
> monitor
> >>>> only four hosts with suricata.
> >>>>
> >>>> Suricata is configured to sniff on a bridge interface that intercepts
> >>>> all traffic destined to these four hosts.
> >>>>
> >>>> My test consists in launch a scan with nmap command (nmap -n -sV
> >>>> 172.25.50.10).
> >>>>
> >>>> a) First test: $HOME_NET defined as "any" and EXTERNAL_NET defined as
> >>>> "any". Result: several alerts are fired like these:
> >>>>
> >>>> 04/12-11:13:43.568003 [**] [1:2010937:2] ET POLICY Suspicious inbound
> to
> >>>> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
> >>>> [Priority: 2] {TCP} 172.25.50.30:58028 -> 172.25.50.10:3306
> >>>> 04/12-11:13:43.569729 [**] [1:2010936:2] ET POLICY Suspicious inbound
> to
> >>>> Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic]
> >>>> [Priority: 2] {TCP} 172.25.50.30:39087 -> 172.25.50.10:1521
> >>>> 04/12-11:13:43.579746 [**] [1:2002911:4] ET SCAN Potential VNC Scan
> >>>> 5900-5920 [**] [Classification: Attempted Information Leak] [Priority:
> >>>> 2] {TCP} 172.25.50.30:54960 -> 172.25.50.10:5902
> >>>> 04/12-11:13:43.580973 [**] [1:2010935:2] ET POLICY Suspicious inbound
> to
> >>>> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
> >>>> [Priority: 2] {TCP} 172.25.50.30:48312 -> 172.25.50.10:1433
> >>>> 04/12-11:13:43.584373 [**] [1:2010939:2] ET POLICY Suspicious inbound
> to
> >>>> PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic]
> >>>> [Priority: 2] {TCP} 172.25.50.30:43791 -> 172.25.50.10:5432
> >>>> 04/12-11:13:49.678140 [**] [1:257:9] GPL DNS named version attempt
> [**]
> >>>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
> >>>> 172.25.50.30:59459 -> 172.25.50.10:53
> >>>>
> >>>>
> >>>> b) Second test: $HOME_NET defined with four IPs
> >>>> "[
> 172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32
> ]"
> >>>>
> >>>> and EXTERNAL_NET as "!$HOME_NET". Result: nothing.
> >>>>
> >>>> c) Third test: $HOME_NET defined as
> >>>> "[
> 172.25.50.10/32,172.25.50.13/32,172.25.50.14/32,172.25.50.20/32,172.25.50.22/32
> ]"
> >>>>
> >>>> and EXTERNAL_NET as "any". Result: nothing.
> >>>>
> >>>> Why?? Is this normal??
> >>>>
> >>>> Thanks.
> >>>
> >>> Nothing??
> >>>
> >>
> >> Ok, more info. Using suricata1.1beta2, results are the same. But using
> >> suricata 1.0.3, all three tests works.
> >>
> >> Any ideas??
> >
> > We've opened a ticket here:
> > https://redmine.openinfosecfoundation.org/issues/284
> >
> > Cheers,
> > Victor
> >
>
> Thanks Victor.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
>
> ------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> End of Oisf-users Digest, Vol 17, Issue 17
> ******************************************
>
--
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110419/7ced4c7e/attachment-0002.html>
More information about the Oisf-users
mailing list