[Snort-sigs] signature doesn't match

Alexandru Balan jay at ...1722...
Fri Jun 18 06:48:03 EDT 2004


Thanks but it still doesn't work
i even tried leaving the rule like.. 
alert tcp any any -> any 445 (msg:"445 worm"; content:"|00 0E 83 63 FD
80 08 00 45 1E|"; classtype:attempted-recon; sid:2000001;)

and it still doesn't match. Curious enough, when i try content with only
"|00 0E|" or "|83 63|" or other such groups it matches. 
Don't shoot. I'm a newbie at writing rules. 

--
Jay


On Fri, 2004-06-18 at 08:26 -0500, Joshua Berry wrote:
> Your rule looks for established connections and these alerts are session
> initiation attempts (SYN only).  Instead of using
> flow:to_server,established, try using flags:S
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Alexandru
> Balan
> Sent: Friday, June 18, 2004 6:43 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] signature doesn't match
> 
> 
> 	Hello,
> 	My problem follows,
> 	I run snort on a machine bridged between a server pool and their
> gateway. I've been sniffing packets using snort in order to catch worms,
> botnets, scans, etc.. 
> 	Well.. let's say i catch this on port 445...
> 
> [root at ...2558... root]# snort -v -d -e -I -X -i br0 dst net y.y.y.0/19 and dst
> port 445
> [snip]
> Version 2.1.3 (Build 27)
> By Martin Roesch (roesch at ...435..., www.snort.org)
> 06/18-14:36:19.492129 0:E:83:63:FD:80 -> 0:4:76:95:18:D9 type:0x800
> len:0x3E
> x.x.x.x:1805 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:31183 IpLen:20
> DgmLen:48 DF
> ******S* Seq: 0xFB469360  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
> TCP Options (4) => MSS: 1420 NOP NOP SackOK
> 0x0000: 00 04 76 95 18 D9 00 0E 83 63 FD 80 08 00 45
> 1E  ..v......c....E.
> 0x0010: 00 30 79 CF 40 00 76 06 1B 78 50 76 6E 48 50
> 56  .0y. at ...2559...
> 0x0020: 60 4E 07 0D 01 BD FB 46 93 60 00 00 00 00 70 02
> `N.....F.`....p.
> 0x0030: FF FF 7C 73 00 00 02 04 05 8C 01 01 04 02        ..|s..........
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 06/18-14:36:19.987047 0:E:83:63:FD:80 -> 0:D:60:19:D6:C8 type:0x800
> len:0x3E
> x.x.x.x:3710 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:7853 IpLen:20
> DgmLen:48 DF
> ******S* Seq: 0x61612509  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> 0x0000: 00 0D 60 19 D6 C8 00 0E 83 63 FD 80 08 00 45
> 1E  ..`......c....E.
> 0x0010: 00 30 1E AD 40 00 76 06 50 C0 D9 2B 01 96 50
> 56  .0.. at ...2560...+..PV
> 0x0020: 6A 25 0E 7E 01 BD 61 61 25 09 00 00 00 00 70 02
> j%.~..aa%.....p.
> 0x0030: 40 00 17 3D 00 00 02 04 05 B4 01 01 04 02        @..=..........
> 
> 	And write the following rule.. 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"445 worm";
> flow:to_server,established; content:"|00 0E 83 63 FD 80 08 00 45 1E|";
> depth:20;  classtype:attempted-recon; priority:2; sid:2000001;)
> 
> 
> 	At this point, i should have a few hundred (at least) false
> positives
> but for a reason that eludes me the rule doesn't match anything although
> if i sniff grepping for "00 0E 83 63 FD 80 08 00 45 1E" my console gets
> flooded with matches. 
> 
> 	What is wrong with my rule? 
> 
> --
> Jay
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040618/fa843057/attachment.sig>


More information about the Snort-sigs mailing list