[Snort-sigs] signature doesn't match

Joshua Berry jberry at ...2562...
Mon Jun 21 06:23:04 EDT 2004


Sorry, I wasn't paying enough attention.  I believe that the content
keyword only looks at the data portion of the packet, therefore this
signature will not work because it is looking for a MAC address (which
won't be in the payload portion of the packet).

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Joshua
Berry
Sent: Friday, June 18, 2004 8:27 AM
To: Alexandru Balan; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] signature doesn't match

Your rule looks for established connections and these alerts are session
initiation attempts (SYN only).  Instead of using
flow:to_server,established, try using flags:S

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Alexandru
Balan
Sent: Friday, June 18, 2004 6:43 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] signature doesn't match


	Hello,
	My problem follows,
	I run snort on a machine bridged between a server pool and their
gateway. I've been sniffing packets using snort in order to catch worms,
botnets, scans, etc.. 
	Well.. let's say i catch this on port 445...

[root at ...2558... root]# snort -v -d -e -I -X -i br0 dst net y.y.y.0/19 and dst
port 445
[snip]
Version 2.1.3 (Build 27)
By Martin Roesch (roesch at ...435..., www.snort.org)
06/18-14:36:19.492129 0:E:83:63:FD:80 -> 0:4:76:95:18:D9 type:0x800
len:0x3E
x.x.x.x:1805 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:31183 IpLen:20
DgmLen:48 DF
******S* Seq: 0xFB469360  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1420 NOP NOP SackOK
0x0000: 00 04 76 95 18 D9 00 0E 83 63 FD 80 08 00 45
1E  ..v......c....E.
0x0010: 00 30 79 CF 40 00 76 06 1B 78 50 76 6E 48 50
56  .0y. at ...2559...
0x0020: 60 4E 07 0D 01 BD FB 46 93 60 00 00 00 00 70 02
`N.....F.`....p.
0x0030: FF FF 7C 73 00 00 02 04 05 8C 01 01 04 02        ..|s..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

06/18-14:36:19.987047 0:E:83:63:FD:80 -> 0:D:60:19:D6:C8 type:0x800
len:0x3E
x.x.x.x:3710 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:7853 IpLen:20
DgmLen:48 DF
******S* Seq: 0x61612509  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: 00 0D 60 19 D6 C8 00 0E 83 63 FD 80 08 00 45
1E  ..`......c....E.
0x0010: 00 30 1E AD 40 00 76 06 50 C0 D9 2B 01 96 50
56  .0.. at ...2560...+..PV
0x0020: 6A 25 0E 7E 01 BD 61 61 25 09 00 00 00 00 70 02
j%.~..aa%.....p.
0x0030: 40 00 17 3D 00 00 02 04 05 B4 01 01 04 02        @..=..........

	And write the following rule.. 
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"445 worm";
flow:to_server,established; content:"|00 0E 83 63 FD 80 08 00 45 1E|";
depth:20;  classtype:attempted-recon; priority:2; sid:2000001;)


	At this point, i should have a few hundred (at least) false
positives
but for a reason that eludes me the rule doesn't match anything although
if i sniff grepping for "00 0E 83 63 FD 80 08 00 45 1E" my console gets
flooded with matches. 

	What is wrong with my rule? 

--
Jay


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list