AW: [Snort-sigs] signature doesn't match

Lutz Schildt ls at ...2172...
Tue Jun 22 01:43:02 EDT 2004


I think content is a payload option and doesn't look for the pattern in the
header-portion of a packet, so looking for a specific MAC-Address using content won't work.

Best regards,

Lutz Schildt

---
mcb multimedia-centrum bremerhaven GmbH
Schifferstraße 10 - 14
D-27568 Bremerhaven

www http://www.mcb-bremerhaven.de
mail ls at ...2172... 
tel 0471 92626 12
fax 0471 92626 17


-----Ursprüngliche Nachricht-----
Von: snort-sigs-admin at lists.sourceforge.net [mailto:snort-sigs-admin at ...2570...sourceforge.net] Im Auftrag von Alexandru Balan
Gesendet: Freitag, 18. Juni 2004 15:43
An: snort-sigs at lists.sourceforge.net
Betreff: RE: [Snort-sigs] signature doesn't match


	you have a very good point. Still though, i have no matches :(  
	i tried modifying the rule to 
alert tcp any any -> any 445 (msg:"445 worm"; content:"|00 0E 83 63 FD
80 08 00 45 1E|";  classtype:attempted-recon; sid:2000001;) 
... and it still doesn't match :( 

On Fri, 2004-06-18 at 08:26 -0500, Joshua Berry wrote:
> Your rule looks for established connections and these alerts are session
> initiation attempts (SYN only).  Instead of using
> flow:to_server,established, try using flags:S
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Alexandru
> Balan
> Sent: Friday, June 18, 2004 6:43 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] signature doesn't match
> 
> 
> 	Hello,
> 	My problem follows,
> 	I run snort on a machine bridged between a server pool and their
> gateway. I've been sniffing packets using snort in order to catch worms,
> botnets, scans, etc.. 
> 	Well.. let's say i catch this on port 445...
> 
> [root at ...2558... root]# snort -v -d -e -I -X -i br0 dst net y.y.y.0/19 and dst
> port 445
> [snip]
> Version 2.1.3 (Build 27)
> By Martin Roesch (roesch at ...435..., www.snort.org)
> 06/18-14:36:19.492129 0:E:83:63:FD:80 -> 0:4:76:95:18:D9 type:0x800
> len:0x3E
> x.x.x.x:1805 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:31183 IpLen:20
> DgmLen:48 DF
> ******S* Seq: 0xFB469360  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
> TCP Options (4) => MSS: 1420 NOP NOP SackOK
> 0x0000: 00 04 76 95 18 D9 00 0E 83 63 FD 80 08 00 45
> 1E  ..v......c....E.
> 0x0010: 00 30 79 CF 40 00 76 06 1B 78 50 76 6E 48 50
> 56  .0y. at ...2559...
> 0x0020: 60 4E 07 0D 01 BD FB 46 93 60 00 00 00 00 70 02
> `N.....F.`....p.
> 0x0030: FF FF 7C 73 00 00 02 04 05 8C 01 01 04 02        ..|s..........
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 06/18-14:36:19.987047 0:E:83:63:FD:80 -> 0:D:60:19:D6:C8 type:0x800
> len:0x3E
> x.x.x.x:3710 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:7853 IpLen:20
> DgmLen:48 DF
> ******S* Seq: 0x61612509  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> 0x0000: 00 0D 60 19 D6 C8 00 0E 83 63 FD 80 08 00 45
> 1E  ..`......c....E.
> 0x0010: 00 30 1E AD 40 00 76 06 50 C0 D9 2B 01 96 50
> 56  .0.. at ...2560...+..PV
> 0x0020: 6A 25 0E 7E 01 BD 61 61 25 09 00 00 00 00 70 02
> j%.~..aa%.....p.
> 0x0030: 40 00 17 3D 00 00 02 04 05 B4 01 01 04 02        @..=..........
> 
> 	And write the following rule.. 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"445 worm";
> flow:to_server,established; content:"|00 0E 83 63 FD 80 08 00 45 1E|";
> depth:20;  classtype:attempted-recon; priority:2; sid:2000001;)
> 
> 
> 	At this point, i should have a few hundred (at least) false
> positives
> but for a reason that eludes me the rule doesn't match anything although
> if i sniff grepping for "00 0E 83 63 FD 80 08 00 45 1E" my console gets
> flooded with matches. 
> 
> 	What is wrong with my rule? 
> 
> --
> Jay
-- 
Alexandru Balan
Network Administrator - iNES Group
url : http://www.ines.ro
tel : +40-21-2322112
fax: +40-21-2323461
Public GnuPG key 8A5BF5F8 available at
http://www.ines.ro/public_keys/alexb.gpg




More information about the Snort-sigs mailing list