[Snort-sigs] rule possibly misfiring

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Tue Jan 28 08:01:08 EST 2003


Yeah, same here.... could spo_database have injected the wrong data
stream?

-----Original Message-----
From: Chris Green [mailto:cmg at ...435...] 
Sent: Tuesday, January 28, 2003 9:02 AM
To: Kreimendahl, Chad J
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] rule possibly misfiring


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:

> snort2 both of builds 28 and 49
>
I just tried with build 2.0 B49 and can't reproduce:

alert tcp any any -> any any \
(msg:"POLICY FTP 'STOR 1MB' possible warez site";\
flow:to_server,established; content:"STOR"; nocase; \
content:"1MB"; nocase; distance:1;)

01/28-09:55:50.427925 0:6:5B:DA:D5:74 -> 0:3:93:82:C9:B2 type:0x800
len:0x5D
10.1.1.72:33077 -> 10.1.1.52:80 TCP TTL:64 TOS:0x0 ID:54504 IpLen:20
DgmLen:79 DF
***AP*** Seq: 0x569A34F7  Ack: 0xF0D1C4A7  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 38204614 1525692256 
53 54 4F 52 20 50 54 53 2E 55 53 45 52 2E 45 42  STOR PTS.USER.EB
31 32 35 2E 43 48 4B 5F 2B 31 0A                 125.CHK_+1.

What does the packet alert off on really look like? 

I know this was to port 80 but I did adjust the rule accordingly.
-- 
Chris Green <cmg at ...435...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-sigs mailing list