[Oisf-users] suri logging all the packets for the session

Russell Fulton r.fulton at auckland.ac.nz
Fri Nov 7 23:59:53 UTC 2014


Hi

For some rules (e.g. ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename inside)  I get a large chunk of the incoming packets logged:

SID	CID		Timestamp		Signature								IP Src		IP Dst		Proto	Length
3	21738471	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	70	
3	21738472	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	86	
3	21738473	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	78	
3	21738474	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	76	
3	21738475	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	74	
3	21738476	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	74	
3	21738477	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	76	
3	21738478	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	79	
3	21738479	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	75	
3	21738480	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	46	
3	21738481	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	1488	
3	21738482	2014-11-07 13:13:55	ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename in		195.154.140.201	130.216.125.245	6	1488	

The short packets at the start are the headers and the two large packets at the end are the start of body of the message. How much of the body gets logged is random in a few cases I am getting the whole lot.  I.e. you get a short packet at the end with the MIME boundary at the end.  Mostly I get two or three packets.

I am curious to know what is going on.  I can not see anything in the rule that would trigger this behaviour.

Just found another example:

SID	CID		Timestamp		Signature				IP Src		IP Dst		Proto	Length
2	17853581	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	56	
2	17853582	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	51	
2	17853583	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	46	
2	17853584	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	153	
2	17853585	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	48	
2	17853586	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	48	
2	17853587	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	70	
2	17853588	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	66	
2	17853589	2014-11-07 13:05:08	GPL FTP SITE overflow attempt		128.39.65.26	130.216.31.100	6	56	

It is the fourth packet that triggered the alert.  ( I thought I had disabled all the GPL FTP Overflow rules!)

Running 2.0.3

Russell





More information about the Oisf-users mailing list