Forums

Resolved
0 votes
I went live yesterday replacing our COS 5.2 firewall/mail server with COS 6.3/Zarafa. We have three remote locations connected to our main location using Dynamic VPN. Our primary accounting application is a legacy product using terminal emulation over telnet. In /var/log/secure I am getting the following:

Jan 31 11:31:57 jbefw snort[18249]: [1:3100001:1] Telnet attempted [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.2.103:800 -> 192.168.0.9:23

This is new with 6.3. It appears to be a (for us) normal connection from one of our remote locations through the VPN. I'm not sure why it is on port 800 (ipsec is 500) but it is a valid connection to our AIX application server.

How do I get snort to ignore this as it makes finding anything useful in /ver/log/secure difficult. Is 18249 a rule in snort that can be disabled or modified to ignore telnet over our VPN?

Thanks,

John
Thursday, January 31 2013, 08:10 PM
Share this post:
Responses (6)
  • Accepted Answer

    Friday, February 01 2013, 05:28 PM - #Permalink
    Resolved
    0 votes
    Hi John,

    Yup, that rule is in the telnet ruleset and it's there to trip up port scanners looking for telnet. You can go to Network - Intrusion Protection - Intrusion Protection Updates and disable the ruleset. That's not an ideal solution since you are disabling the other 5 telnet rules in that ruleset. Ideally, you would be able to specify the ID in an exception list in the web-based interface and then every time the new rulesets roll out (weekly), the exemption would be re-applied. That's an open feature request.

    @ Nick - the /etc/snort.d/rules contains two subdirectories:

    - gpl: the last Snort GPL rule set from many years ago. We're not allowed to redistribute anything else for free (even the free 30-days later VRT rules).

    - clearcenter: that's the Intrusion Protection Updates Paid App which is mostly Emerging Threats lists, but massaged to 1) add fwsam/IPS tags 2) remove noisy and problematic rules 3) integrate changes based on live nodes out there in the wild 4) remove broken rules due to version mismatches. We have mixed in other rulesets in the the past and will likely do so again in the future.

    Other subdirectories for other sources can be added too.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 01 2013, 12:07 PM - #Permalink
    Resolved
    0 votes
    There must be a different directory structure between 6.3 Pro and 6.3 Community. Interesting to know.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 31 2013, 11:33 PM - #Permalink
    Resolved
    0 votes
    I am running the 6.3 Pro that has all of the various rules and have subscribed to updates. The particular rule I found is apparently one added by ClearCenter. It is in telnet.rules in the above specified directory.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 31 2013, 10:14 PM - #Permalink
    Resolved
    0 votes
    How odd. That location does not exist for me. You can have a look in /etc/snort.conf. It points to all the rule sets.

    BTW the string to grep would have been 3100001 or sid:3100001
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 31 2013, 09:11 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick. I found that. I can't find a rule for Telnet in any of the rules.

    grep Telnet *.rules

    It appears that this message in /var/log/secure comes from snort. Are there any other rule sets other then in /etc/snort.d/rules/gpl?

    Edit:

    I found the rule in /etc/snort.d/rules/clearcenter/telnet.rules
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 31 2013, 08:50 PM - #Permalink
    Resolved
    0 votes
    To disable a rule have a look at this post
    The reply is currently minimized Show
Your Reply