[Snort-devel] Oddities in capturing rules

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue Jan 7 08:22:04 EST 2003


When trying to test a rule with snort 2 on one of our development
sensors... This happened.

Alert tcp any any -> any 445 (msg:"Test 1"; flow:established;
content:"bob1234"; 

204.124.x.x:443 -> 192.168.x.x:49995 
Content of data returned:

bob1234
es/homebar.gif HTTP/1.1
Accept: */*
Referer: http://some.site/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 23 Aug 2002 19:39:17 GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)
Hos

This rule hit at exactly the moment we were telnetting to port 445 on a
172.16.0.0/12 from a 10.0.0.0/8.  You'll notice that neither the source
nor the dest IPs or ports are right.  On top of that, we also appear to
have had our data jumbled with some other data... (a request to our
intranet)....jumbled with more data (a request to an external https
site).

All of the tcp info and ip info appear to come from the 204.124.x.x ->
192.168.x.x connection, and the data appears to come from two different,
completely unrelated connections.

So far this is not repeatable...




More information about the Snort-devel mailing list