[Snort-sigs] signature doesn't match

Alexandru Balan jay at ...1722...
Fri Jun 18 04:43:01 EDT 2004


	Hello,
	My problem follows,
	I run snort on a machine bridged between a server pool and their
gateway. I've been sniffing packets using snort in order to catch worms,
botnets, scans, etc.. 
	Well.. let's say i catch this on port 445...

[root at ...2558... root]# snort -v -d -e -I -X -i br0 dst net y.y.y.0/19 and dst
port 445
[snip]
Version 2.1.3 (Build 27)
By Martin Roesch (roesch at ...435..., www.snort.org)
06/18-14:36:19.492129 0:E:83:63:FD:80 -> 0:4:76:95:18:D9 type:0x800
len:0x3E
x.x.x.x:1805 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:31183 IpLen:20
DgmLen:48 DF
******S* Seq: 0xFB469360  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1420 NOP NOP SackOK
0x0000: 00 04 76 95 18 D9 00 0E 83 63 FD 80 08 00 45
1E  ..v......c....E.
0x0010: 00 30 79 CF 40 00 76 06 1B 78 50 76 6E 48 50
56  .0y. at ...2559...
0x0020: 60 4E 07 0D 01 BD FB 46 93 60 00 00 00 00 70 02
`N.....F.`....p.
0x0030: FF FF 7C 73 00 00 02 04 05 8C 01 01 04 02        ..|s..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/18-14:36:19.987047 0:E:83:63:FD:80 -> 0:D:60:19:D6:C8 type:0x800
len:0x3E
x.x.x.x:3710 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:7853 IpLen:20
DgmLen:48 DF
******S* Seq: 0x61612509  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: 00 0D 60 19 D6 C8 00 0E 83 63 FD 80 08 00 45
1E  ..`......c....E.
0x0010: 00 30 1E AD 40 00 76 06 50 C0 D9 2B 01 96 50
56  .0.. at ...2560...+..PV
0x0020: 6A 25 0E 7E 01 BD 61 61 25 09 00 00 00 00 70 02
j%.~..aa%.....p.
0x0030: 40 00 17 3D 00 00 02 04 05 B4 01 01 04 02        @..=..........

	And write the following rule.. 
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"445 worm";
flow:to_server,established; content:"|00 0E 83 63 FD 80 08 00 45 1E|";
depth:20;  classtype:attempted-recon; priority:2; sid:2000001;)


	At this point, i should have a few hundred (at least) false positives
but for a reason that eludes me the rule doesn't match anything although
if i sniff grepping for "00 0E 83 63 FD 80 08 00 45 1E" my console gets
flooded with matches. 

	What is wrong with my rule? 

--
Jay
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040618/7356f8e5/attachment.sig>


More information about the Snort-sigs mailing list