[Snort-sigs] RE: Snort-sigs digest, Vol 1 #747 - 9 msgs

John Impallomeni John.Impallomeni at ...1877...
Wed Oct 29 06:26:05 EST 2003


I was wondering if anyone else had seen a large number of alerts from
the "BAD-TRAFFIC loopback traffic" rule. We had over 12,000 yesterday
when we usually see none. When I try to ping the source addresses (total
of 8108), I keep getting a loopback IP (127.0.0.1). There are only 2
outside internet address for the destination address. Also the
destination port is varying but they are typical attack ports (21, 22,
23, 80...etc) Any ideas? Thanks

John Impallomeni
Systems Administrator
Sun Healthcare Group
john.impallomeni at ...1877...



-----Original Message-----
From: snort-sigs-request at lists.sourceforge.net
[mailto:snort-sigs-request at lists.sourceforge.net] 
Sent: Tuesday, October 28, 2003 9:34 PM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #747 - 9 msgs

Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. 2251 and 2252 in netbios.rules (Gregory S Thomas)
   2. Re: MS Messenger Overflow (MS03-043) POC sig (Michael J.
Pomraning)
   3. Inverted list of IPs (Martin Olsson)
   4. Re: Active Response in what version? (Dan Monjar)
   5. RE: Inverted list of IPs (Nick Duda)
   6. Re: Active Response in what version? (Matt Kettler)
   7. Re: Active Response in what version? (Jeff Nathan)
   8. TCPDUMP.LOG (al00884047 at ...1985...)
   9. Re: TCPDUMP.LOG (Matt Kettler)

--__--__--

Message: 1
Date: Fri, 24 Oct 2003 13:46:59 -0700
From: Gregory S Thomas <greg.thomas at ...1984...>
To: snort-sigs at lists.sourceforge.net
Organization: Pacific Northwest National Laboratory
Subject: [Snort-sigs] 2251 and 2252 in netbios.rules

The latest version (1.29) of netbios.rules in CVS reverts 2 rules
to earlier versions: sid:2251 from rev:3 to rev:1 and sid:2252
from rev:3 to rev:2.  These are the only backwards revisions
I found in the latest rule files.  Is this intentional or is it
a mistake?

Thanks,

-- greg



--__--__--

Message: 2
Date: Sat, 25 Oct 2003 18:22:22 -0500 (CDT)
From: "Michael J. Pomraning" <mjp at ...1399...>
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Re: MS Messenger Overflow (MS03-043) POC sig

On Mon, 20 Oct 2003, Mike Pomraning wrote:

> I believe this will match Hanabishi Recca's BugTraq POC code for
MS03-043

Various improvements, with an eye toward actually matching something
(hex
quoting fixed, offset v. depth, etc.):

   alert udp any any -> any 135 (
     msg:"EXPLOIT MS Messenger Buffer Overflow";
     dsize:>100;
     content:"|04 00 28 00|"; offset: 0;
     content:"|14 14 14 14 14 14 14 14 14 14 14 14 14|"; offset: 4;
     classtype:attempted-admin;
 
reference:url,www.microsoft.com/technet/treeview/default.asp?url=/techne
t/security/bulletin/MS03-043.asp;
     reference:url,http://www.cert.org/advisories/CA-2003-27.html;
     sid:??;
     rev:1;)

Thanks to everyone who responded on and off list, esp. Samuel Adams.

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security


--__--__--

Message: 3
Date: Tue, 28 Oct 2003 17:21:24 +0100 (CET)
From: Martin Olsson <elof at ...1288...>
Reply-To: Martin Olsson <martin.olsson at ...1288...>
To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] Inverted list of IPs


I have this rule:
alert tcp any any -> any 80 (foo bar...)

Now I want to exclude two sourceaddresses from it. Can I simply do it
like
this?

alert tcp ![1.1.1.1/32,2.2.2.2/32] any -> any 80 (foo bar...)


..or will a packet from 2.2.2.2 match the rule anyhow since 2.2.2.2 !=
1.1.1.1?

/Martin



--__--__--

Message: 4
Date: Tue, 28 Oct 2003 11:27:47 -0500
From: Dan Monjar <daniel.monjar at ...1816...>
Subject: Re: [Snort-sigs] Active Response in what version?
To: Matt Kettler <mkettler at ...189...>, Shane Smith
<shane at ...1839...>,
 snort-sigs at lists.sourceforge.net
Reply-to: Dan <daniel.monjar at ...1816...>

--==========DFF21AB5845427F8269D==========
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Monday, October 27, 2003 07:27:52 PM -0500 Matt Kettler=20
<mkettler at ...189...> wrote:

> When you built snort did you ./configure with --enable-flexresp ?
>
> It's a bit unclear to me right now if you need flexresp v2 for this
> functionality or not.. if you do, flexresp2 is downloadable at:
> http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/
(linked
> from www.snort.org main page)

Will that one use libnet 1.1 instead of 1.02a?

--=20
Daniel Monjar
IS Manager, Technical Services
bioM=E9rieux, Inc.
Durham, NC US
--==========DFF21AB5845427F8269D==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/npkD/Bk6xSk49AoRAoAZAKDmAkgXB5uaF6zJxMp8nK4u6USLugCdEDev
uMKkYzCKUm+L0HeNaVnOwMg=
=c2+6
-----END PGP SIGNATURE-----

--==========DFF21AB5845427F8269D==========--



--__--__--

Message: 5
Subject: RE: [Snort-sigs] Inverted list of IPs
Date: Tue, 28 Oct 2003 11:29:27 -0500
From: "Nick Duda" <nduda at ...1896...>
To: "Martin Olsson" <martin.olsson at ...1288...>,
	"snort-sigs mailinglist" <snort-sigs at lists.sourceforge.net>

I use that method and it works for me.

-----Original Message-----
From: Martin Olsson [mailto:elof at ...1288...]=20
Sent: Tuesday, October 28, 2003 11:21 AM
To: snort-sigs mailinglist
Subject: [Snort-sigs] Inverted list of IPs


I have this rule:
alert tcp any any -> any 80 (foo bar...)

Now I want to exclude two sourceaddresses from it. Can I simply do it
like
this?

alert tcp ![1.1.1.1/32,2.2.2.2/32] any -> any 80 (foo bar...)


..or will a packet from 2.2.2.2 match the rule anyhow since 2.2.2.2 !=3D
1.1.1.1?

/Martin



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


--__--__--

Message: 6
Date: Tue, 28 Oct 2003 11:54:24 -0500
To: Dan <daniel.monjar at ...1816...>,
snort-sigs at lists.sourceforge.net
From: Matt Kettler <mkettler at ...189...>
Subject: Re: [Snort-sigs] Active Response in what version?

At 11:27 AM 10/28/2003, Dan Monjar wrote:
>Will that one use libnet 1.1 instead of 1.02a?

Nope..

To quote the webpage:


To compile and use flexresp2 on Unix-like systems you must compile and
install
version 1.0.2a of the libnet packet injection library written by Mike 
Shiffman.  



--__--__--

Message: 7
Date: Tue, 28 Oct 2003 12:10:04 -0500
Subject: Re: [Snort-sigs] Active Response in what version?
Cc: snort-sigs at lists.sourceforge.net
To: Dan <daniel.monjar at ...1816...>
From: Jeff Nathan <jeff at ...95...>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=0D
On Tuesday, October 28, 2003, at 11:27 AM, Dan Monjar wrote:=0D
=0D
> Will that one use libnet 1.1 instead of 1.02a?=0D
=0D
Why not read the README file and see? :)=0D
=0D
But to save you the trouble, and to ensure you realize I was only =0D
making a joke the answer is no.=0D
=0D
It does not use libnet 1.1 (flexresp2, now with proper verb tense =0D
agreement: your kids will love it).=0D
=0D
- -Jeff=0D
=0D
> -- =0D
> Daniel Monjar=0D
> IS Manager, Technical Services=0D
> bioM=E9rieux, Inc.=0D
> Durham, NC US<mime-attachment>=0D
=0D
- --=0D
Top security experts.  Cutting edge tools, techniques and
information.=0D=

Tokyo, Japan   November, 2003   http://www.pacsec.jp=0D
=0D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/nqLwEqr8+Gkj0/0RAkYNAJkB3T7e4SFtQY2zMZY0SXN9ZPhEaACgs+D7
nFyPVFXQXcsFFumKLRtGvYU=3D
=3DXCz0
-----END PGP SIGNATURE-----



--__--__--

Message: 8
Date: Tue, 28 Oct 2003 12:57:33 -0600
From: al00884047 at ...1985...
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] TCPDUMP.LOG

Hi. My name is Manuel and excuse me for my English because it isn't very
good. My question is about this:
I want to create a log file with this instruction:

output log_tcpdump: /var/log/tcpdump.log

but it doesn't create anything. I have permissions and there is enough
sp=
ace
for the archive. Do you know why it doesn't work? What I have to do to
cr=
eate
this archive? Because I need it to analyze the content and identify
certa=
in
patterns.

Thank you for the help.




Manuel Guill=E9n



--__--__--

Message: 9
Date: Tue, 28 Oct 2003 14:51:40 -0500
To: al00884047 at ...1985..., snort-sigs at lists.sourceforge.net
From: Matt Kettler <mkettler at ...189...>
Subject: Re: [Snort-sigs] TCPDUMP.LOG

At 01:57 PM 10/28/2003, you wrote:
>I want to create a log file with this instruction:
>
>output log_tcpdump: /var/log/tcpdump.log

Please redirect this question to the snort-users mailing list.
Snort-users 
is the proper "general purpose" list for configuration and usage
questions, 
along with general discussion about snort.

The snort-sigs mailing list is for signature design and development.

Also, snort-users has by far more subscribers, so it is more likely
someone 
will know the answer to your question.





--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest




More information about the Snort-sigs mailing list