[Snort-sigs] Re: [Snort-devel] Signature error?

Jon Hart warchild at ...288...
Mon Dec 29 10:06:04 EST 2003


On Mon, Dec 29, 2003 at 09:44:45AM -0600, Ron Shuck wrote:
> Hi,
>  
> I am getting some really weird alerts since upgrading to 2.0.6. I get
> alerts for MS-SQL Worm on packets that are ICMP destination unreachable
> packets. I double checked the event, iphdr and signature tables in the
> database. It is definitely an ICMP packet and the signature was the
> MS-SQL Worm signature.
> 
> Any ideas?

I'm getting similar odd alerts, but only since I upgraded my sensor to
2.1.0.

Although this signature is still capturing legitimate MS-SQL worm
attempts, it is also capturing lots of other packets that are clearly
not MS-SQL worm related:

[**] MS-SQL Worm propagation attempt [**]
12/29/03-08:22:34.020878 199.203.54.32:58976 -> 4.64.202.3:8080
TCP TTL:47 TOS:0x0 ID:62235 IpLen:20 DgmLen:60 DF
******S* Seq: 0xDDE6A93F  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1452 SackOK TS: 997155419 0 NOP WS: 0
0x0000: 00 00 00 02 45 00 00 3C F3 1B 40 00 2F 06 8C 71 ....E..<.. at ...180.../..q
0x0010: C7 CB 36 20 04 40 CA 03 E6 60 1F 90 DD E6 A9 3F ..6 . at ...253...`.....?
0x0020: 00 00 00 00 A0 02 16 D0 3A 2E 00 00 02 04 05 AC ........:.......
0x0030: 04 02 08 0A 3B 6F 62 5B 00 00 00 00 01 03 03 00 ....;ob[........

[**] MS-SQL Worm propagation attempt [**]
12/28/03-07:35:47.946358 64.231.248.92 -> 4.64.201.44
ICMP TTL:112 TOS:0x0 ID:33747 IpLen:20 DgmLen:28
Type:8  Code:0  ID:768   Seq:6889  ECHO
0x0000: 00 00 00 02 45 00 00 1C 83 D3 00 00 70 01 C0 5D ....E.......p..]
0x0010: 40 E7 F8 5C 04 40 C9 2C 08 00 DA 16 03 00 1A E9 @..\. at ...180...,........

And here are two odd alerts.  The first claims to be a MS-SQL worm
packet and clearly is not.  The second is very similar to the first, but
gets properly detected as a Squid proxy scan:

[**] MS-SQL Worm propagation attempt [**]
12/26/03-05:48:54.831914 80.71.71.24:0 -> 4.64.201.44:3128
TCP TTL:117 TOS:0x0 ID:3472 IpLen:20 DgmLen:40 DF
******S* Seq: 0x45A3C  Ack: 0x0  Win: 0x200  TcpLen: 20
0x0000: 00 00 00 02 45 00 00 28 0D 90 40 00 75 06 93 74 ....E..(.. at ...2088...
0x0010: 50 47 47 18 04 40 C9 2C 00 00 0C 38 00 04 5A 3C PGG.. at ...180...,...8..Z<
0x0020: 00 00 00 00 50 02 02 00 E2 9E 00 00             ....P.......

[**] SCAN Squid Proxy attempt [**]
12/26/03-17:05:01.040418 80.71.71.24:0 -> 4.64.201.44:3128
TCP TTL:117 TOS:0x0 ID:2704 IpLen:20 DgmLen:40 DF
******S* Seq: 0x289E5  Ack: 0x0  Win: 0x200  TcpLen: 20
0x0000: 00 00 00 02 45 00 00 28 0A 90 40 00 75 06 96 74 ....E..(.. at ...2088...
0x0010: 50 47 47 18 04 40 C9 2C 00 00 0C 38 00 02 89 E5 PGG.. at ...180...,...8....
0x0020: 00 00 00 00 50 02 02 00 B2 F7 00 00             ....P.......


This is on an OpenBSD -current box running snort 2.1.0.  This version
also claims to be seeing lots of odd IP protocols that I don't use, as
well as non IPv4 packets.  I say this is odd because I don't see these
in any of my pf logs, but thats another email.

-jon






More information about the Snort-sigs mailing list