Package: snort-common Version: 2.7.0-20.4 Severity: important File: /usr/sbin/snort-stat
When parsing /var/log/snort/alert alerts with only a priority and no classification in the second line are ignored. Most preprocessor alerts seem to have the classification missing, so very many alerts are not counted in the statistics. Attached is a log for input to snort-stat (snort-stat -a < file). It contains 7 alerts, of which one has no IP addresses, the other 6 should be counted, but only 4 are counted. In real life, the vast majority of alerts may be ignored for this reason. -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages snort-common depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii perl-modules 5.10.0-19lenny2 Core Perl modules ii rsyslog [system-log-daem 3.18.6-4 enhanced multi-threaded syslogd snort-common recommends no packages. Versions of packages snort-common suggests: pn snort-doc <none> (no description available) -- debconf information: snort/deprecated_config:
[**] [1:1321:8] BAD-TRAFFIC 0 ttl [**] [Classification: Misc activity] [Priority: 3] 07/23-07:30:20.704726 0.0.0.0 -> 255.255.255.255 PROTO:099 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:68 [Xref => http://www.isi.edu/in-notes/rfc1122.txt][Xref => http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268] [**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**] 07/23-07:31:17.759889 [**] [122:19:0] (portscan) UDP Portsweep [**] [Priority: 3] 07/23-08:22:31.477811 172.16.1.197 -> 195.194.121.66 PROTO:255 TTL:0 TOS:0x0 ID:6400 IpLen:20 DgmLen:163 [**] [1:1419:9] SNMP trap udp [**] [Classification: Attempted Information Leak] [Priority: 2] 07/23-08:32:13.675697 172.16.0.48:162 -> 195.194.122.46:162 UDP TTL:255 TOS:0x0 ID:653 IpLen:20 DgmLen:119 Len: 91 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088] [**] [1:466:4] ICMP L3retriever Ping [**] [Classification: Attempted Information Leak] [Priority: 2] 07/23-08:52:40.397719 172.16.1.149 -> 148.79.164.13 ICMP TTL:32 TOS:0x0 ID:1865 IpLen:20 DgmLen:60 Type:8 Code:0 ID:512 Seq:256 ECHO [Xref => http://www.whitehats.com/info/IDS311] [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] [Priority: 3] 07/23-08:53:14.531800 172.16.1.149:2198 -> 148.79.163.146:80 TCP TTL:128 TOS:0x0 ID:7114 IpLen:20 DgmLen:334 DF ***AP*** Seq: 0xF70F5266 Ack: 0xCDA63215 Win: 0x4470 TcpLen: 20 [**] [1:1042:9] WEB-IIS view source via translate header [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 07/23-08:53:21.473129 172.16.1.149:2277 -> 148.79.164.13:80 TCP TTL:128 TOS:0x0 ID:7519 IpLen:20 DgmLen:184 DF ***AP*** Seq: 0x649778CD Ack: 0xD5063470 Win: 0x4470 TcpLen: 20 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0778][Xref => http://www.securityfocus.com/bid/1578][Xref => http://www.whitehats.com/info/IDS305]
