Re: [firestorm053] pb with rules: BAD TRAFFIC syn to multicastaddress...

[rmkml <rmkml@xxxxxxxxxx>]

variable HOME_NET = EXTERNAL_NET = any ...

I would seek later why...

sorry for other false pb.

Regard.



Gianni Tedesco wrote:

> On Sat, 2003-06-21 at 20:45, rmkml wrote:
> > Hi,
> >
> > look event :
> > Jun 21 18:12:01 xxx 11 firestorm-nids053: 1056211921.440716
> > alert=sig.tcp sig=1431.4 priority=2 src=217.128.40.199 dst=24.78.142.0
> > proto=6 spt=4662 dpt=3889 flags=*S**A*** from=server server=SYN_SENT
> > client=SYN_RECV : BAD TRAFFIC syn to multicast address
> >
> > look this rules : (include in firestorm053)
> >
> > /xxx/snort-rules/bad-traffic.rules:alert tcp any any ->
> > [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD TRAFFIC syn to
> > multicast address"; flags:S+; classtype:bad-unknown; sid:1431; rev:4;)
> >
> > and read tcpdump file (join):
> > 18:12:01.440705 24.78.142.0.3889 > 217.128.40.199.4662: S [tcp sum ok]
> > 311693554:311693554(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl
> > 113, id 53684, len 48)
> > ...
>
> can't seem to reproduce this either.
>
> What happens if you use the the default ruleset and config but with
> HOME_NET and EXTERNAL_NET set to any ?
>
> --
> // Gianni Tedesco (gianni at scaramanga dot co dot uk)
> lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
> 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
>
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: application/pgp-signature
>                 Description: This is a digitally signed message part