Forums

kfox
kfox
Offline
Resolved
0 votes
Hola

For the last couple of months one of my clear VMs has been blocking gmail webmail servers and reporting what it thinks are a number of port scans (actually what seems to be broken SSL packets) against it originating from the local subnet. This is the only one out of several similar VMs that seems to be picking up on it. The rule that finally blocked the server in this log dump is SID 2000540:

scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (2)"; fragbits: !D; dsize: 0; flags: A,12; window: 3072; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2000540; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid: 2000540; rev:7; fwsam: src, 1 day;)
sid-msg.map:2000540 || ET SCAN NMAP -sA (2) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP || url,doc.emergingthreats.net/2000540

Considering the nature of the rule I have a hard time understanding why Gmail webmail would trip it and an even harder time understanding the SSL-related false positives. Any insight would be appreciated.

Oct 24 08:59:52 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:1064 -> 173.194.35.83:80
Oct 24 09:00:16 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:1064 -> 173.194.35.83:80
Oct 24 09:02:15 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:1069 -> 173.194.35.83:80
Oct 24 09:02:30 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:1069 -> 173.194.35.83:80
Oct 24 10:56:46 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.59 -> 173.194.35.83
Oct 24 22:33:30 router snort[19544]: [1:2000540:7] ET SCAN NMAP -sA (2) [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 173.194.35.83:443 -> xxx.xxx.xxx.44:54248
Oct 24 22:33:30 router snort[19544]: [1:2000540:7] ET SCAN NMAP -sA (2) [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 173.194.35.83:443 -> xxx.xxx.xxx.44:54248
Oct 25 03:19:54 router snort[19544]: [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5![Priority: 3]: {TCP} xxx.xxx.xxx.198:0 -> 173.194.35.83:0
Oct 25 03:47:03 router snort[19544]: [116:55:1] (snort_decoder): Truncated Tcp Options[Priority: 3]: {TCP} xxx.xxx.xxx.198:50635 -> 173.194.35.83:80
Oct 23 10:28:10 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.27 -> 173.194.35.83
Oct 23 11:06:23 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.27 -> 173.194.35.83
Oct 23 11:18:11 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.27 -> 173.194.35.83
Oct 23 11:28:11 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.27 -> 173.194.35.83
Oct 23 11:54:06 router snort[19544]: [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5![Priority: 3]: {TCP} xxx.xxx.xxx.59:0 -> 173.194.35.83:0
Oct 23 12:04:48 router snort[19544]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY[Priority: 3]: {TCP} xxx.xxx.xxx.27:49838 -> 173.194.35.83:80
Oct 23 12:18:56 router snort[19544]: [116:55:1] (snort_decoder): Truncated Tcp Options[Priority: 3]: {TCP} xxx.xxx.xxx.198:55424 -> 173.194.35.83:80
Oct 23 14:34:06 router snort[19544]: [116:55:1] (snort_decoder): Truncated Tcp Options[Priority: 3]: {TCP} xxx.xxx.xxx.198:3724 -> 173.194.35.83:443
Oct 23 19:01:46 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:2180 -> 173.194.35.83:80
Oct 23 19:01:57 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:2180 -> 173.194.35.83:80
Oct 22 09:26:55 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:1222 -> 173.194.35.83:80
Oct 22 09:47:38 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:1246 -> 173.194.35.83:80
Oct 22 12:28:11 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:1753 -> 173.194.35.83:80
Oct 22 12:43:14 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:1863 -> 173.194.35.83:80
Oct 22 13:04:41 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.59:2213 -> 173.194.35.83:80
Oct 22 15:37:26 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.198 -> 173.194.35.83
Oct 22 18:59:30 router snort[19544]: [116:54:1] (snort_decoder): Tcp Options found with bad lengths[Priority: 3]: {TCP} xxx.xxx.xxx.65:64950 -> 173.194.35.83:443
Oct 21 07:21:31 router snort[19544]: [122:1:0] (portscan) TCP Portscan[Priority: 3]: {PROTO:255} 173.194.35.83 -> xxx.xxx.xxx.44
Oct 21 12:27:11 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.175 -> 173.194.35.83
Oct 21 13:04:42 router snort[19544]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY[Priority: 3]: {TCP} xxx.xxx.xxx.59:1031 -> 173.194.35.83:80
Oct 21 14:19:09 router snort[19544]: [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5![Priority: 3]: {TCP} xxx.xxx.xxx.59:0 -> 173.194.35.83:0
Oct 21 14:38:19 router snort[19544]: [116:54:1] (snort_decoder): Tcp Options found with bad lengths[Priority: 3]: {TCP} xxx.xxx.xxx.175:4680 -> 173.194.35.83:443
Oct 21 15:35:59 router snort[19544]: [122:1:0] (portscan) TCP Portscan[Priority: 3]: {PROTO:255} 173.194.35.83 -> xxx.xxx.xxx.44
Oct 21 18:16:38 router snort[19544]: [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5![Priority: 3]: {TCP} xxx.xxx.xxx.175:0 -> 173.194.35.83:0
Oct 21 20:27:03 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.44:52012 -> 173.194.35.83:80
Oct 21 23:14:41 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.44:51013 -> 173.194.35.83:80
Oct 21 23:14:41 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.44:51013 -> 173.194.35.83:80
Oct 20 14:24:01 router snort[19544]: [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5![Priority: 3]: {TCP} xxx.xxx.xxx.198:0 -> 173.194.35.83:0
Oct 20 21:58:34 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.44:57950 -> 173.194.35.83:80
Oct 20 21:58:45 router snort[19544]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY[Priority: 3]: {TCP} xxx.xxx.xxx.44:57950 -> 173.194.35.83:80
Oct 19 08:00:17 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.23 -> 173.194.35.83
Oct 19 10:33:03 router snort[19544]: [122:1:0] (portscan) TCP Portscan[Priority: 3]: {PROTO:255} 173.194.35.83 -> xxx.xxx.xxx.59
Oct 18 13:40:21 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.198 -> 173.194.35.83
Oct 18 14:09:38 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.198:1113 -> 173.194.35.83:80
Oct 18 14:10:17 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.198:1113 -> 173.194.35.83:80
Oct 18 14:10:23 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.198:1125 -> 173.194.35.83:80
Oct 18 14:10:24 router snort[19544]: [116:55:1] (snort_decoder): Truncated Tcp Options[Priority: 3]: {TCP} xxx.xxx.xxx.198:1125 -> 173.194.35.83:80
Oct 18 14:10:25 router snort[19544]: [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.198:1125 -> 173.194.35.83:80
Oct 18 14:11:59 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.198:1139 -> 173.194.35.83:80
Oct 18 14:12:46 router snort[19544]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} xxx.xxx.xxx.198:1139 -> 173.194.35.83:80
Oct 18 14:46:47 router snort[19544]: [116:54:1] (snort_decoder): Tcp Options found with bad lengths[Priority: 3]: {TCP} xxx.xxx.xxx.144:50264 -> 173.194.35.83:443
Oct 18 16:24:11 router snort[19544]: [116:55:1] (snort_decoder): Truncated Tcp Options[Priority: 3]: {TCP} xxx.xxx.xxx.142:33074 -> 173.194.35.83:443
Oct 18 18:13:32 router snort[19544]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} xxx.xxx.xxx.101 -> 173.194.35.83
2010/10/24, 22:33:30, 127.0.0.1, 2, snortsam, Blocking host 173.194.35.83 completely for 86400 seconds (Sig_ID: 2000540).
Monday, October 25 2010, 08:36 PM
Share this post:
Responses (3)
  • Accepted Answer

    Monday, October 25 2010, 09:32 PM - #Permalink
    Resolved
    0 votes
    That's an emerging threat rule - not one that usually comes with ClearOS. It appears to be generating false positives for fragmented packets intended to match a form of Nmap scan....but the -sA flag isn't a recognised form of scan so no idea what it's trying to do

    Either comment it out and restart snort, or remove "fwsam: src, 1 day;" from the end so that it doesn't autoblock
    http://nmap.org/book/man.html
    The reply is currently minimized Show
  • Accepted Answer

    kfox
    kfox
    Offline
    Monday, October 25 2010, 09:41 PM - #Permalink
    Resolved
    0 votes
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 25 2010, 09:50 PM - #Permalink
    Resolved
    0 votes
    I take my last comment back, -sA is a scan using Ack packets :) I obviously didn't look hard enough
    The reply is currently minimized Show
Your Reply