[Snort-sigs] Re: [Snort-devel] Signature error?

Jon Hart warchild at ...1775...
Mon Dec 29 10:07:05 EST 2003


On Mon, Dec 29, 2003 at 09:44:45AM -0600, Ron Shuck wrote:
> Hi,
>  
> I am getting some really weird alerts since upgrading to 2.0.6. I get
> alerts for MS-SQL Worm on packets that are ICMP destination unreachable
> packets. I double checked the event, iphdr and signature tables in the
> database. It is definitely an ICMP packet and the signature was the
> MS-SQL Worm signature.
> 
> Any ideas?

I'm getting similar odd alerts, but only since I upgraded my sensor to
2.1.0.

Although this signature is still capturing legitimate MS-SQL worm
attempts, it is also capturing lots of other packets that are clearly
not MS-SQL worm related:

[**] MS-SQL Worm propagation attempt [**]
12/29/03-08:22:34.020878 199.203.54.32:58976 -> 4.64.202.3:8080
TCP TTL:47 TOS:0x0 ID:62235 IpLen:20 DgmLen:60 DF
******S* Seq: 0xDDE6A93F  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1452 SackOK TS: 997155419 0 NOP WS: 0
0x0000: 00 00 00 02 45 00 00 3C F3 1B 40 00 2F 06 8C 71 ....E..<.. at ...300.../..q
0x0010: C7 CB 36 20 04 40 CA 03 E6 60 1F 90 DD E6 A9 3F ..6 . at ...1067...`.....?
0x0020: 00 00 00 00 A0 02 16 D0 3A 2E 00 00 02 04 05 AC ........:.......
0x0030: 04 02 08 0A 3B 6F 62 5B 00 00 00 00 01 03 03 00 ....;ob[........

[**] MS-SQL Worm propagation attempt [**]
12/28/03-07:35:47.946358 64.231.248.92 -> 4.64.201.44
ICMP TTL:112 TOS:0x0 ID:33747 IpLen:20 DgmLen:28
Type:8  Code:0  ID:768   Seq:6889  ECHO
0x0000: 00 00 00 02 45 00 00 1C 83 D3 00 00 70 01 C0 5D ....E.......p..]
0x0010: 40 E7 F8 5C 04 40 C9 2C 08 00 DA 16 03 00 1A E9 @..\. at ...300...,........

And here are two odd alerts.  The first claims to be a MS-SQL worm
packet and clearly is not.  The second is very similar to the first, but
gets properly detected as a Squid proxy scan:

[**] MS-SQL Worm propagation attempt [**]
12/26/03-05:48:54.831914 80.71.71.24:0 -> 4.64.201.44:3128
TCP TTL:117 TOS:0x0 ID:3472 IpLen:20 DgmLen:40 DF
******S* Seq: 0x45A3C  Ack: 0x0  Win: 0x200  TcpLen: 20
0x0000: 00 00 00 02 45 00 00 28 0D 90 40 00 75 06 93 74 ....E..(.. at ...2303...
0x0010: 50 47 47 18 04 40 C9 2C 00 00 0C 38 00 04 5A 3C PGG.. at ...300...,...8..Z<
0x0020: 00 00 00 00 50 02 02 00 E2 9E 00 00             ....P.......

[**] SCAN Squid Proxy attempt [**]
12/26/03-17:05:01.040418 80.71.71.24:0 -> 4.64.201.44:3128
TCP TTL:117 TOS:0x0 ID:2704 IpLen:20 DgmLen:40 DF
******S* Seq: 0x289E5  Ack: 0x0  Win: 0x200  TcpLen: 20
0x0000: 00 00 00 02 45 00 00 28 0A 90 40 00 75 06 96 74 ....E..(.. at ...2303...
0x0010: 50 47 47 18 04 40 C9 2C 00 00 0C 38 00 02 89 E5 PGG.. at ...300...,...8....
0x0020: 00 00 00 00 50 02 02 00 B2 F7 00 00             ....P.......


This is on an OpenBSD -current box running snort 2.1.0.  This version
also claims to be seeing lots of odd IP protocols that I don't use, as
well as non IPv4 packets.  I say this is odd because I don't see these
in any of my pf logs, but thats another email.

-jon




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-devel mailing list