[Snort-devel] odd problems with 2.3rc2

Russell Fulton r.fulton at ...1343...
Sun Jan 9 16:23:06 EST 2005


HI Folks,
	I originally sent this to the snort-users list and then posted a
followup asking people to ignore it since I thought that the problem was
caused by corruption in the database.  I have now eliminated that and
have verified that snort really is generating these alerts.

[russell at ...1358... snort]$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.3.0RC2 (Build 9)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2004 Sourcefire Inc, et al.

Gotta luv that pig!!  :)

I've just installed RC2 and I have observed a couple of problems:
     1. a few rules are triggering when there does not appear to be any
        reason.  One rule is triggering often, for no apparent reason:

META
--------
SID     CID     TimeStamp               Signature
9       8206    2005-01-05 14:08:18     BLEEDING-EDGE Malware Fun Web
Products Agent Traffic
Sig ID
2001034

Sensor Hostname                         Sensor Interface
hihi.itss       eth1

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.112.4   210.55.168.70   4       5
TOS     length  ID      flags   offset  TTL     chksum
0       448     37539   2       0       126     64313

Resolved Source
ngarino.ellis.arth.auckland.ac.nz

Resolved Dest
www.nbnzi.com 

TCP
--------
Source Port     Dest Port       Seq             Ack             
2034            80              1389116551      3695382261
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      63496   55014           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
474554202F696D616765    GET /image
732F686F6D652F6C6F67    s/home/log
6F2E6769662048545450    o.gif HTTP
2F312E310D0A41636365    /1.1..Acce
70743A202A2F2A0D0A52    pt: */*..R
6566657265723A206874    eferer: ht
74703A2F2F7777772E6E    tp://www.n
6174696F6E616C62616E    ationalban
6B2E636F2E6E7A0D0A41    k.co.nz..A
63636570742D4C616E67    ccept-Lang
756167653A20656E2D6E    uage: en-n
7A0D0A4163636570742D    z..Accept-
456E636F64696E673A20    Encoding: 
677A69702C206465666C    gzip, defl
6174650D0A49662D4D6F    ate..If-Mo
6469666965642D53696E    dified-Sin
63653A205361742C2030    ce: Sat, 0
35204F63742032303032    5 Oct 2002
2030353A33313A323220     05:31:22 
474D540D0A49662D4E6F    GMT..If-No
6E652D4D617463683A20    ne-Match: 
22306231363937303330    "0b1697030
36636332313A34663566    6cc21:4f5f
220D0A557365722D4167    "..User-Ag
656E743A204D6F7A696C    ent: Mozil
6C612F342E302028636F    la/4.0 (co
6D70617469626C653B20    mpatible; 
4D53494520362E303B20    MSIE 6.0; 
57696E646F7773204E54    Windows NT
20352E31290D0A486F73     5.1)..Hos
743A207777772E6E6174    t: www.nat
696F6E616C62616E6B2E    ionalbank.
636F2E6E7A0D0A436F6E    co.nz..Con
6E656374696F6E3A204B    nection: K
6565702D416C6976650D    eep-Alive.
0A436F6F6B69653A2041    .Cookie: A
535053455353494F4E49    SPSESSIONI
4443514154444443533D    DCQATDDCS=
4E4C4D484D4642424349    NLMHMFBBCI
43444C435049494E484A    CDLCPIINHJ
44414E470D0A0D0A        DANG....

DATA
--------
GET /images/home/logo.gif HTTP/1.1..Accept: */*..Referer: ht
tp://www.nationalbank.co.nz..Accept-Language: en-nz..Accept-
Encoding: gzip, deflate..If-Modified-Since: Sat, 05 Oct 2002
 05:31:22 GMT..If-None-Match: "0b16970306cc21:4f5f"..User-Ag
ent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Hos
t: www.nationalbank.co.nz..Connection: Keep-Alive..Cookie: A
SPSESSIONIDCQATDDCS=NLMHMFBBCICDLCPIINHJDANG....

[russell at ...1358... snort]$ grep 2001034 Rules/rules/*
Rules/rules/bleeding-malware.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; classtype:policy-violation; reference:url,www.funwebproducts.com; content:"FunWebProducts\;"; nocase; flow:to_server,established; threshold:type limit, track by_src, count 2, seconds 360; sid:2001034; rev:10;)
Rules/rules/sid-msg.map:2001034 || BLEEDING-EDGE Malware Fun Web Products Agent Traffic || url,www.funwebproducts.com

and secondly, many of these false alerts also generate tagged packets.
I am also seeing tagged packets for other rules which don't have the tag
option.







More information about the Snort-devel mailing list