I went live yesterday replacing our COS 5.2 firewall/mail server with COS 6.3/Zarafa. We have three remote locations connected to our main location using Dynamic VPN. Our primary accounting application is a legacy product using terminal emulation over telnet. In /var/log/secure I am getting the following:
Jan 31 11:31:57 jbefw snort[18249]: [1:3100001:1] Telnet attempted [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.2.103:800 -> 192.168.0.9:23
This is new with 6.3. It appears to be a (for us) normal connection from one of our remote locations through the VPN. I'm not sure why it is on port 800 (ipsec is 500) but it is a valid connection to our AIX application server.
How do I get snort to ignore this as it makes finding anything useful in /ver/log/secure difficult. Is 18249 a rule in snort that can be disabled or modified to ignore telnet over our VPN?
Thanks,
John
Jan 31 11:31:57 jbefw snort[18249]: [1:3100001:1] Telnet attempted [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.2.103:800 -> 192.168.0.9:23
This is new with 6.3. It appears to be a (for us) normal connection from one of our remote locations through the VPN. I'm not sure why it is on port 800 (ipsec is 500) but it is a valid connection to our AIX application server.
How do I get snort to ignore this as it makes finding anything useful in /ver/log/secure difficult. Is 18249 a rule in snort that can be disabled or modified to ignore telnet over our VPN?
Thanks,
John
Share this post:
Responses (6)
-
Accepted Answer
Hi John,
Yup, that rule is in the telnet ruleset and it's there to trip up port scanners looking for telnet. You can go to Network - Intrusion Protection - Intrusion Protection Updates and disable the ruleset. That's not an ideal solution since you are disabling the other 5 telnet rules in that ruleset. Ideally, you would be able to specify the ID in an exception list in the web-based interface and then every time the new rulesets roll out (weekly), the exemption would be re-applied. That's an open feature request.
@ Nick - the /etc/snort.d/rules contains two subdirectories:
- gpl: the last Snort GPL rule set from many years ago. We're not allowed to redistribute anything else for free (even the free 30-days later VRT rules).
- clearcenter: that's the Intrusion Protection Updates Paid App which is mostly Emerging Threats lists, but massaged to 1) add fwsam/IPS tags 2) remove noisy and problematic rules 3) integrate changes based on live nodes out there in the wild 4) remove broken rules due to version mismatches. We have mixed in other rulesets in the the past and will likely do so again in the future.
Other subdirectories for other sources can be added too. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Thanks Nick. I found that. I can't find a rule for Telnet in any of the rules.
grep Telnet *.rules
It appears that this message in /var/log/secure comes from snort. Are there any other rule sets other then in /etc/snort.d/rules/gpl?
Edit:
I found the rule in /etc/snort.d/rules/clearcenter/telnet.rules
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »