[Snort-sigs] Re: [Snort-devel] Signature error?

Ron Shuck rshuck at ...1949...
Mon Dec 29 11:55:03 EST 2003


Yes. I am seeing the same thing. The MS-SQL Worm signature is catching
valid attempts. I had two other signatures that did the same thing, but
I considered it a fluke and delete the packets. I don't recall which
ones. I do know that the number of bogus alerts is very small.


Ron Shuck, CISSP, GCIA, CCSE 

-----Original Message-----
From: Jon Hart [mailto:warchild at ...1775...] 
Sent: Monday, December 29, 2003 12:05 PM
To: Ron Shuck
Cc: snort-devel at lists.sourceforge.net; snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Re: [Snort-devel] Signature error?

On Mon, Dec 29, 2003 at 09:44:45AM -0600, Ron Shuck wrote:
> Hi,
>  
> I am getting some really weird alerts since upgrading to 2.0.6. I get 
> alerts for MS-SQL Worm on packets that are ICMP destination 
> unreachable packets. I double checked the event, iphdr and signature 
> tables in the database. It is definitely an ICMP packet and the 
> signature was the MS-SQL Worm signature.
> 
> Any ideas?

I'm getting similar odd alerts, but only since I upgraded my sensor to
2.1.0.

Although this signature is still capturing legitimate MS-SQL worm
attempts, it is also capturing lots of other packets that are clearly
not MS-SQL worm related:

[**] MS-SQL Worm propagation attempt [**]
12/29/03-08:22:34.020878 199.203.54.32:58976 -> 4.64.202.3:8080 TCP
TTL:47 TOS:0x0 ID:62235 IpLen:20 DgmLen:60 DF
******S* Seq: 0xDDE6A93F  Ack: 0x0  Win: 0x16D0  TcpLen: 40 TCP Options
(5) => MSS: 1452 SackOK TS: 997155419 0 NOP WS: 0
0x0000: 00 00 00 02 45 00 00 3C F3 1B 40 00 2F 06 8C 71 ....E..<.. at ...2305..../..q
0x0010: C7 CB 36 20 04 40 CA 03 E6 60 1F 90 DD E6 A9 3F ..6 . at ...1067...`.....?
0x0020: 00 00 00 00 A0 02 16 D0 3A 2E 00 00 02 04 05 AC ........:.......
0x0030: 04 02 08 0A 3B 6F 62 5B 00 00 00 00 01 03 03 00 ....;ob[........

[**] MS-SQL Worm propagation attempt [**]
12/28/03-07:35:47.946358 64.231.248.92 -> 4.64.201.44 ICMP TTL:112
TOS:0x0 ID:33747 IpLen:20 DgmLen:28
Type:8  Code:0  ID:768   Seq:6889  ECHO
0x0000: 00 00 00 02 45 00 00 1C 83 D3 00 00 70 01 C0 5D ....E.......p..]
0x0010: 40 E7 F8 5C 04 40 C9 2C 08 00 DA 16 03 00 1A E9 @..\. at ...300...,........

And here are two odd alerts.  The first claims to be a MS-SQL worm
packet and clearly is not.  The second is very similar to the first, but
gets properly detected as a Squid proxy scan:

[**] MS-SQL Worm propagation attempt [**]
12/26/03-05:48:54.831914 80.71.71.24:0 -> 4.64.201.44:3128 TCP TTL:117
TOS:0x0 ID:3472 IpLen:20 DgmLen:40 DF
******S* Seq: 0x45A3C  Ack: 0x0  Win: 0x200  TcpLen: 20
0x0000: 00 00 00 02 45 00 00 28 0D 90 40 00 75 06 93 74 ....E..(.. at ...2306.....
0x0010: 50 47 47 18 04 40 C9 2C 00 00 0C 38 00 04 5A 3C PGG.. at ...300...,...8..Z<
0x0020: 00 00 00 00 50 02 02 00 E2 9E 00 00             ....P.......

[**] SCAN Squid Proxy attempt [**]
12/26/03-17:05:01.040418 80.71.71.24:0 -> 4.64.201.44:3128 TCP TTL:117
TOS:0x0 ID:2704 IpLen:20 DgmLen:40 DF
******S* Seq: 0x289E5  Ack: 0x0  Win: 0x200  TcpLen: 20
0x0000: 00 00 00 02 45 00 00 28 0A 90 40 00 75 06 96 74 ....E..(.. at ...2306.....
0x0010: 50 47 47 18 04 40 C9 2C 00 00 0C 38 00 02 89 E5 PGG.. at ...300...,...8....
0x0020: 00 00 00 00 50 02 02 00 B2 F7 00 00             ....P.......


This is on an OpenBSD -current box running snort 2.1.0.  This version
also claims to be seeing lots of odd IP protocols that I don't use, as
well as non IPv4 packets.  I say this is odd because I don't see these
in any of my pf logs, but thats another email.

-jon




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-devel mailing list