[Snort-devel] Signature error?

Ron Shuck rshuck at ...1949...
Mon Dec 29 07:45:15 EST 2003


Hi,
 
I am getting some really weird alerts since upgrading to 2.0.6. I get
alerts for MS-SQL Worm on packets that are ICMP destination unreachable
packets. I double checked the event, iphdr and signature tables in the
database. It is definitely an ICMP packet and the signature was the
MS-SQL Worm signature.

Any ideas?


TCPDUMP------- 
23:21:36.474892 172.29.0.14 > 68.98.203.7: icmp: host 149.174.130.216
unreachable - admin prohibited filter [tos 0x80]  (ttl 242, id 0, len
56)
0x0000   4580 0038 0000 0000 f201 0cb0 ac1d 000e        E..8............
0x0010   4462 cb07 030d 2091 0000 0000 4500 0030        Db..........E..0
0x0020   142d 4000 6d06 d1aa 4462 cb07 95ae 82d8        .- at ...2299...
0x0030   f5a8 0019 3a16 ac89                            ....:...

ACID---------
Meta  ID # Time                Triggered Signature 
30 - 57516 2003-12-28 23:21:36 [url][bugtraq][bugtraq][snort] MS-SQL
Worm propagation attempt 
 
Sensor name     interface filter 
gro-cox at ...2300... eth1      none  
 
Alert
Group   none  
 
IP  source addr   dest addr   Ver Hdr Len TOS length ID flags offset TTL
chksum 
172.29.0.14       68.98.203.7 4   5       128 56     0  0     0      242
3248 
 
FQDN Source Name            Dest. Name 
 Unable to resolve address  gro-astrocom-cox 
 
Options     none  
 
ICMP  type                        code                 checksum id seq #

      (3) Destination Unreachable (13) Packet Filtered 8337   
 
Payload   length = 32

000 : 00 00 00 00 45 00 00 30 14 2D 40 00 6D 06 D1 AA   ....E..0.- at ...2302.....
010 : 44 62 CB 07 95 AE 82 D8 F5 A8 00 19 3A 16 AC 89   Db..........:...

Protocol Org.Source  Org.Source       Org.Source Org.Destination
Org.Destination        Org.Destination
         IP          Name             Port       IP              Name
Port 
TCP      68.98.203.7 gro-astrocom-cox 62888      149.174.130.216
aolr-v5.websys.aol.com 25 
 

Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant
Buchanan Associates - A Technology Company in the People Business




More information about the Snort-devel mailing list