[Snort-devel] rule port problem

Hammerle, Tye F. Tye.F.Hammerle at ...161...
Tue Dec 12 13:34:41 EST 2000


I'm seeing alot of false hits on the Latest Napster rules. snort is hitting
on the content only and disregarding the ports in the rule. The first rule
hits on the content and none of the others do. I've commented out the first
rule and then the second rule in order hits. Note that the hit is on content
only, the port doesn't appear to make any difference.

Tye


alert TCP any any <> any 6699 (msg:"Napster Client Data"; flags: PA;
content: ".mp3"; nocase; )
alert TCP any any <> any 8888 (msg:"Napster 8888 Data"; flags: PA; content:
".mp3"; nocase; )
alert TCP any any <> any 7777 (msg:"Napster 7777 Data"; flags: PA; content:
".mp3"; nocase; )
alert TCP any any <> any 6666 (msg:"Napster 6666 Data"; flags: PA; content:
".mp3"; nocase; )
alert TCP any any <> any 5555 (msg:"Napster 5555 Data"; flags: PA; content:
".mp3"; nocase; )
alert TCP any any <> any 4444 (msg:"Napster 4444 Data"; flags: PA; content:
".mp3"; nocase; )


[**] Napster Client Data [**]
12/11-12:33:24.653496 0:90:27:A7:32:ED -> 0:10:7B:CF:55:1 type:0x800
len:0x141
12.20.116.26:64166 -> 208.48.67.34:80 TCP TTL:255 TOS:0x0 ID:57085 IpLen:20
DgmLen:307 DF
***AP*** Seq: 0x10B43862  Ack: 0x9DCA81F9  Win: 0x25BC  TcpLen: 20

[**] Napster Client Data [**]
12/11-12:33:24.779666 0:10:7B:CF:55:1 -> 0:90:27:A7:32:ED type:0x800
len:0x59A
208.48.67.34:80 -> 12.20.116.26:64166 TCP TTL:51 TOS:0x0 ID:2521 IpLen:20
DgmLen:1420 DF
***AP*** Seq: 0x9DCA81F9  Ack: 0x10B4396D  Win: 0x7BFC  TcpLen: 20



[**] Napster 8888 Data [**]
12/12-11:04:33.579610 0:10:7B:CF:55:1 -> 0:90:27:A7:32:ED type:0x800
len:0x59A
63.241.16.50:80 -> 12.20.116.26:63585 TCP TTL:52 TOS:0x0 ID:64464 IpLen:20
DgmLen:1420 DF
***AP*** Seq: 0x8C9286FB  Ack: 0x2D94655  Win: 0x7BFC  TcpLen: 20

[**] Napster 8888 Data [**]
12/12-11:04:33.580783 0:10:7B:CF:55:1 -> 0:90:27:A7:32:ED type:0x800
len:0x59A
63.241.16.50:80 -> 12.20.116.26:63585 TCP TTL:52 TOS:0x0 ID:64463 IpLen:20
DgmLen:1420 DF
***AP*** Seq: 0x8C928197  Ack: 0x2D94655  Win: 0x7BFC  TcpLen: 20




More information about the Snort-devel mailing list