[Snort-devel] odd problems with 2.3rc2
Matthew Watchinski
mwatchinski at ...402...
Mon Jan 10 07:12:10 EST 2005
Is this occurring with rules in the official snort set or only with
bleeding snort rules? If so what are the sids
Thanks
-matt
Russell Fulton wrote:
>HI Folks,
> I originally sent this to the snort-users list and then posted a
>followup asking people to ignore it since I thought that the problem was
>caused by corruption in the database. I have now eliminated that and
>have verified that snort really is generating these alerts.
>
>[russell at ...1358... snort]$ snort -V
>
> ,,_ -*> Snort! <*-
> o" )~ Version 2.3.0RC2 (Build 9)
> '''' By Martin Roesch & The Snort Team:
>http://www.snort.org/team.html
> (C) Copyright 1998-2004 Sourcefire Inc, et al.
>
>Gotta luv that pig!! :)
>
>I've just installed RC2 and I have observed a couple of problems:
> 1. a few rules are triggering when there does not appear to be any
> reason. One rule is triggering often, for no apparent reason:
>
>META
>--------
>SID CID TimeStamp Signature
>9 8206 2005-01-05 14:08:18 BLEEDING-EDGE Malware Fun Web
>Products Agent Traffic
>Sig ID
>2001034
>
>Sensor Hostname Sensor Interface
>hihi.itss eth1
>
>IP
>--------
>Source Address Dest Address Ver Hdr Len
>130.216.112.4 210.55.168.70 4 5
>TOS length ID flags offset TTL chksum
>0 448 37539 2 0 126 64313
>
>Resolved Source
>ngarino.ellis.arth.auckland.ac.nz
>
>Resolved Dest
>www.nbnzi.com
>
>TCP
>--------
>Source Port Dest Port Seq Ack
>2034 80 1389116551 3695382261
>Offset Reserved Flags Window Checksum Urgent Ptr
>5 0 24 63496 55014 0
>
>Options
>--------
>None
>
>
>Flags
>--------
>RB 1 RB 0 URG ACK PSH RST SYN FIN
> X X
>
>DATA
>--------
>474554202F696D616765 GET /image
>732F686F6D652F6C6F67 s/home/log
>6F2E6769662048545450 o.gif HTTP
>2F312E310D0A41636365 /1.1..Acce
>70743A202A2F2A0D0A52 pt: */*..R
>6566657265723A206874 eferer: ht
>74703A2F2F7777772E6E tp://www.n
>6174696F6E616C62616E ationalban
>6B2E636F2E6E7A0D0A41 k.co.nz..A
>63636570742D4C616E67 ccept-Lang
>756167653A20656E2D6E uage: en-n
>7A0D0A4163636570742D z..Accept-
>456E636F64696E673A20 Encoding:
>677A69702C206465666C gzip, defl
>6174650D0A49662D4D6F ate..If-Mo
>6469666965642D53696E dified-Sin
>63653A205361742C2030 ce: Sat, 0
>35204F63742032303032 5 Oct 2002
>2030353A33313A323220 05:31:22
>474D540D0A49662D4E6F GMT..If-No
>6E652D4D617463683A20 ne-Match:
>22306231363937303330 "0b1697030
>36636332313A34663566 6cc21:4f5f
>220D0A557365722D4167 "..User-Ag
>656E743A204D6F7A696C ent: Mozil
>6C612F342E302028636F la/4.0 (co
>6D70617469626C653B20 mpatible;
>4D53494520362E303B20 MSIE 6.0;
>57696E646F7773204E54 Windows NT
>20352E31290D0A486F73 5.1)..Hos
>743A207777772E6E6174 t: www.nat
>696F6E616C62616E6B2E ionalbank.
>636F2E6E7A0D0A436F6E co.nz..Con
>6E656374696F6E3A204B nection: K
>6565702D416C6976650D eep-Alive.
>0A436F6F6B69653A2041 .Cookie: A
>535053455353494F4E49 SPSESSIONI
>4443514154444443533D DCQATDDCS=
>4E4C4D484D4642424349 NLMHMFBBCI
>43444C435049494E484A CDLCPIINHJ
>44414E470D0A0D0A DANG....
>
>DATA
>--------
>GET /images/home/logo.gif HTTP/1.1..Accept: */*..Referer: ht
>tp://www.nationalbank.co.nz..Accept-Language: en-nz..Accept-
>Encoding: gzip, deflate..If-Modified-Since: Sat, 05 Oct 2002
> 05:31:22 GMT..If-None-Match: "0b16970306cc21:4f5f"..User-Ag
>ent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Hos
>t: www.nationalbank.co.nz..Connection: Keep-Alive..Cookie: A
>SPSESSIONIDCQATDDCS=NLMHMFBBCICDLCPIINHJDANG....
>
>[russell at ...1358... snort]$ grep 2001034 Rules/rules/*
>Rules/rules/bleeding-malware.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; classtype:policy-violation; reference:url,www.funwebproducts.com; content:"FunWebProducts\;"; nocase; flow:to_server,established; threshold:type limit, track by_src, count 2, seconds 360; sid:2001034; rev:10;)
>Rules/rules/sid-msg.map:2001034 || BLEEDING-EDGE Malware Fun Web Products Agent Traffic || url,www.funwebproducts.com
>
>and secondly, many of these false alerts also generate tagged packets.
>I am also seeing tagged packets for other rules which don't have the tag
>option.
>
>
>
>
>
>-------------------------------------------------------
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>
More information about the Snort-devel
mailing list