[Snort-devel] odd problems with 2.3rc2

Matthew Watchinski mwatchinski at ...402...
Mon Jan 10 07:12:10 EST 2005 

Is this occurring with rules in the official snort set or only with 
bleeding snort rules?  If so what are the sids

Thanks
-matt

Russell Fulton wrote:

>HI Folks,
>	I originally sent this to the snort-users list and then posted a
>followup asking people to ignore it since I thought that the problem was
>caused by corruption in the database.  I have now eliminated that and
>have verified that snort really is generating these alerts.
>
>[russell at ...1358... snort]$ snort -V
>
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.3.0RC2 (Build 9)
>   ''''    By Martin Roesch & The Snort Team:
>http://www.snort.org/team.html
>           (C) Copyright 1998-2004 Sourcefire Inc, et al.
>
>Gotta luv that pig!!  :)
>
>I've just installed RC2 and I have observed a couple of problems:
>     1. a few rules are triggering when there does not appear to be any
>        reason.  One rule is triggering often, for no apparent reason:
>
>META
>--------
>SID     CID     TimeStamp               Signature
>9       8206    2005-01-05 14:08:18     BLEEDING-EDGE Malware Fun Web
>Products Agent Traffic
>Sig ID
>2001034
>
>Sensor Hostname                         Sensor Interface
>hihi.itss       eth1
>
>IP
>--------
>Source Address  Dest Address    Ver     Hdr Len
>130.216.112.4   210.55.168.70   4       5
>TOS     length  ID      flags   offset  TTL     chksum
>0       448     37539   2       0       126     64313
>
>Resolved Source
>ngarino.ellis.arth.auckland.ac.nz
>
>Resolved Dest
>www.nbnzi.com 
>
>TCP
>--------
>Source Port     Dest Port       Seq             Ack             
>2034            80              1389116551      3695382261
>Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
>5       0               24      63496   55014           0
>
>Options
>--------
>None
>
>
>Flags
>--------
>RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
>                        X       X                               
>
>DATA
>--------
>474554202F696D616765    GET /image
>732F686F6D652F6C6F67    s/home/log
>6F2E6769662048545450    o.gif HTTP
>2F312E310D0A41636365    /1.1..Acce
>70743A202A2F2A0D0A52    pt: */*..R
>6566657265723A206874    eferer: ht
>74703A2F2F7777772E6E    tp://www.n
>6174696F6E616C62616E    ationalban
>6B2E636F2E6E7A0D0A41    k.co.nz..A
>63636570742D4C616E67    ccept-Lang
>756167653A20656E2D6E    uage: en-n
>7A0D0A4163636570742D    z..Accept-
>456E636F64696E673A20    Encoding: 
>677A69702C206465666C    gzip, defl
>6174650D0A49662D4D6F    ate..If-Mo
>6469666965642D53696E    dified-Sin
>63653A205361742C2030    ce: Sat, 0
>35204F63742032303032    5 Oct 2002
>2030353A33313A323220     05:31:22 
>474D540D0A49662D4E6F    GMT..If-No
>6E652D4D617463683A20    ne-Match: 
>22306231363937303330    "0b1697030
>36636332313A34663566    6cc21:4f5f
>220D0A557365722D4167    "..User-Ag
>656E743A204D6F7A696C    ent: Mozil
>6C612F342E302028636F    la/4.0 (co
>6D70617469626C653B20    mpatible; 
>4D53494520362E303B20    MSIE 6.0; 
>57696E646F7773204E54    Windows NT
>20352E31290D0A486F73     5.1)..Hos
>743A207777772E6E6174    t: www.nat
>696F6E616C62616E6B2E    ionalbank.
>636F2E6E7A0D0A436F6E    co.nz..Con
>6E656374696F6E3A204B    nection: K
>6565702D416C6976650D    eep-Alive.
>0A436F6F6B69653A2041    .Cookie: A
>535053455353494F4E49    SPSESSIONI
>4443514154444443533D    DCQATDDCS=
>4E4C4D484D4642424349    NLMHMFBBCI
>43444C435049494E484A    CDLCPIINHJ
>44414E470D0A0D0A        DANG....
>
>DATA
>--------
>GET /images/home/logo.gif HTTP/1.1..Accept: */*..Referer: ht
>tp://www.nationalbank.co.nz..Accept-Language: en-nz..Accept-
>Encoding: gzip, deflate..If-Modified-Since: Sat, 05 Oct 2002
> 05:31:22 GMT..If-None-Match: "0b16970306cc21:4f5f"..User-Ag
>ent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Hos
>t: www.nationalbank.co.nz..Connection: Keep-Alive..Cookie: A
>SPSESSIONIDCQATDDCS=NLMHMFBBCICDLCPIINHJDANG....
>
>[russell at ...1358... snort]$ grep 2001034 Rules/rules/*
>Rules/rules/bleeding-malware.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; classtype:policy-violation; reference:url,www.funwebproducts.com; content:"FunWebProducts\;"; nocase; flow:to_server,established; threshold:type limit, track by_src, count 2, seconds 360; sid:2001034; rev:10;)
>Rules/rules/sid-msg.map:2001034 || BLEEDING-EDGE Malware Fun Web Products Agent Traffic || url,www.funwebproducts.com
>
>and secondly, many of these false alerts also generate tagged packets.
>I am also seeing tagged packets for other rules which don't have the tag
>option.
>
>
>
>
>
>-------------------------------------------------------
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>  
>

More information about the Snort-devel mailing list