[Snort-devel] Getting lots of hits on sid:1841

Chris Green cmg at ...402...
Wed Sep 4 12:13:08 EDT 2002


Steve Halligan <giermo at ...269...> writes:

> Exact same problem here.
> Lots of falses (I presume) on this rule, no payload logged.



Hrm,  Seems to work atleast on a simplistic test case.

09/04-15:06:59.615105 0:3:93:82:C9:B2 -> 0:6:5B:DA:D5:74 type:0x800 len:0x148
10.1.1.52:80 -> 10.1.1.72:34939 TCP TTL:64 TOS:0x0 ID:20002 IpLen:20 DgmLen:314 DF
***AP*** Seq: 0x8D3E03B4  Ack: 0xC875C8B3  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5192 75300387 
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 57 65 64 2C 20 30 34 20 53  .Date: Wed, 04 S
65 70 20 32 30 30 32 20 31 39 3A 30 37 3A 31 39  ep 2002 19:07:19
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 2F 31 2E 33 2E 32 36 20 28 44 61 72  ache/1.3.26 (Dar
77 69 6E 29 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66  win)..Last-Modif
69 65 64 3A 20 57 65 64 2C 20 30 34 20 53 65 70  ied: Wed, 04 Sep
20 32 30 30 32 20 31 39 3A 30 34 3A 33 32 20 47   2002 19:04:32 G
4D 54 0D 0A 45 54 61 67 3A 20 22 33 35 31 35 30  MT..ETag: "35150
66 2D 65 2D 33 64 37 36 35 39 34 30 22 0D 0A 41  f-e-3d765940"..A
63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 62 79  ccept-Ranges: by
74 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E  tes..Content-Len
67 74 68 3A 20 31 34 0D 0A 43 6F 6E 6E 65 63 74  gth: 14..Connect
69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74  ion: close..Cont
65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70  ent-Type: text/p
6C 61 69 6E 0D 0A 0D 0A 6A 61 76 61 73 63 72 69  lain....javascri
70 74 3A 2F 2F 0A                                pt://.

Can you try using -A fast -b and see if the problem persists?  It's
highly possible that the SQL output has a problem with the name being
javascript:...


>
> Snort 1.9b6 (actually post b6 from cvs)
> Barnyard (latest from www.snort.org/dl)
> mysql
> obsd
> etc
> etc
>
> snort -de -c/etc/snort/snort.conf
> to
> unified log
> to
> barnyard
> to
> mysql
>
> -steve
>
>>
>>Russell Fulton <r.fulton at ...1343...> writes:
>>
>>> Hi,
>>> 	I am running 1.9beta6 with current rule sets and I seeming lots
>>> (up to dozens per hour from several different servers) of 
>>hits on this
>>> rule:
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
>>(msg:"EXPERIMENTAL
>>> WEB-CLIENT javascript URL host spoofing attempt";
>>> flow:to_client,es\tablished; content:"javascript\://"; nocase;
>>> classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)
>>>
>>> I strongly suspect that these are false +ves but I can not 
>>verify this
>>> since snort never logs the packet? I have had this problem with other
>>> versions of snort where some rules never log packets but I 
>>never got an
>>> explaination.
>>
>>Whats your command line / log output system?
>>
>>[ follow up to snort-devel ]
>>-- 
>>Chris Green <cmg at ...402...>
>>Warning: time of day goes back, taking countermeasures.
>>
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by: OSDN - Tired of that same old
>>cell phone?  Get a new here for FREE!
>>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>>_______________________________________________
>>Snort-devel mailing list
>>Snort-devel at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>

-- 
Chris Green <cmg at ...402...>
Let not the sands of time get in your lunch.




More information about the Snort-devel mailing list