[Snort-sigs] Some intresting stats on base components of rules

Sean Wheeler s.wheeler at ...944...
Wed Mar 31 11:18:10 EST 2004


Hi,

I am presently building a component which will dynamically assign rules
based on passive OS fingerprinted hosts.
Part of this process involves building a couple arrays and stats.... having
a look below you will notice some intresting/strangeness in the rules (2.1.1
latest snapshot 3 rules omitted )

I am sending this in the hope it will aid our sig maintainers, if there are
any other stats you would like to see please pop me a mail as I am presently
doing plenty of this kind of thing.

regards

Sean

and below the details :

What I spotted already was :

var shellcode_ports ( in src_port) is used BUT there is also occurences
where port !80 is hardcoded these are sid's :

+------+
| sid  |
+------+
| 145  |
+------+

var http_ports( in src_port) is used BUT there is also occurences where port
80 is hardcoded these are sid's :
+------+
| sid  |
+------+
|  106 |
| 1832 |
|  112 |
|  283 |
|  488 |
| 1437 |
| 1438 |
| 1439 |
| 1440 |
+------+

var shellcode_ports ( in dst_port) is used BUT there is also occurences
where port !80 is hardcoded these are sid's :

+------+
| sid  |
+------+
| 1432 |
+------+

var http_ports( in dst_port) is used BUT there is also occurences where port
80 is hardcoded these are sid's :
+------+
| sid  |
+------+
| 1121 |
|  855 |
| 1619 |
| 1114 |
| 1749 |
| 1545 |
|  311 |
| 1436 |
|  619 |
+------+

PROTCOL COUNT :2276
Array
(
    [tcp] => 1862
    [ip] => 44
    [udp] => 237
    [icmp] => 133
)
SRC IP COUNT :2276
Array
(
    [home_net] => 113
    [http_servers] => 13
    [any] => 106
    [external_net] => 2010
    [255.255.255.0/24] => 2

[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] => 3
    [3.3.3.3/32] => 1
    [smtp_servers] => 19
    [63.251.224.177] => 1
    [sql_servers] => 2
    [telnet_servers] => 6
)
SRC PORT COUNT :2276
Array
(
    [any] => 1975
    [http_ports] => 44
    [8002] => 1
    [749] => 1
    [751] => 1
    [22] => 3
    [512] => 1
    [!21:23] => 1
    [27374] => 1
    [16959] => 1
    [12345:12346] => 1
    [20034] => 1
    [2140] => 8
    [3150] => 3
    [4120] => 2
    [6789] => 1
    [1024:] => 1
    [2589] => 1
    [80] => 9
    [146] => 2
    [666] => 2
    [1000:1300] => 1
    [31785] => 1
    [!80] => 1
    [30100] => 1
    [6969] => 1
    [5401:5402] => 1
    [23476] => 1
    [30100:30102] => 1
    [5031] => 1
    [3344] => 1
    [3345] => 1
    [5714] => 1
    [555] => 1
    [31790] => 1
    [6666:7000] => 1
    [12754] => 1
    [15104] => 1
    [5631] => 1
    [6000:6005] => 1
    [12346] => 1
    [60000] => 55
    [110] => 74
    [53] => 3
    [19] => 1
    [21] => 2
    [4000] => 4
    [23] => 9
    [20] => 1
    [5631:5632] => 1
    [7161] => 1
    [2002] => 1
    [49] => 2
    [500] => 1
    [2401] => 7
    [119] => 1
    [902] => 1
    [2998] => 1
    [8888] => 1
    [25] => 2
    [513] => 2
    [10101] => 1
    [shellcode_ports] => 22
    [113] => 1
    [1433] => 1
    [139] => 1
)
DST IP COUNT :2276
Array
(
    [external_net] => 151
    [any] => 101
    [home_net] => 876
    [telnet_servers] => 21
    [216.80.99.202] => 1
    [212.146.0.34] => 1
    [127.0.0.0/8] => 1
    [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] => 1

[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] => 2
    [http_servers] => 1007
    [sql_servers] => 66
    [smtp_servers] => 45
    [64.245.58.0/23] => 1
    [255.255.255.255] => 2
)
DST PORT COUNT :2276
Array
(
    [any] => 471
    [12345:12346] => 1
    [2140] => 54
    [3150] => 3
    [4120] => 1
    [1094] => 1
    [2589] => 1
    [1024:] => 7
    [1054] => 1
    [7597] => 1
    [1000:1300] => 1
    [146] => 1
    [21554] => 1
    [666] => 1
    [5032] => 1
    [!53:80] => 1
    [3345] => 1
    [3344] => 1
    [79] => 16
    [23] => 21
    [31789] => 1
    [35555] => 1
    [33270] => 1
    [1963] => 1
    [34012] => 1
    [3127:3199] => 1
    [0] => 2
    [1863] => 6
    [6666:7000] => 8
    [31335] => 3
    [20432] => 1
    [27665] => 3
    [27444] => 1
    [18753] => 1
    [20433] => 1
    [6838] => 1
    [10498] => 3
    [12754] => 1
    [15104] => 1
    [27374] => 2
    [80] => 9
    [http_ports] => 1025
    [oracle_ports] => 26
    [143] => 25
    [119] => 11
    [67] => 5
    [12346] => 1
    [31337] => 1
    [60000] => 9
    [53] => 18
    [21] => 90
    [32771:34000] => 4
    [111] => 69
    [32771] => 3
    [634:1400] => 1
    [22] => 7
    [32770:] => 2
    [139] => 47
    [25] => 65
    [110] => 22
    [7] => 2
    [7070] => 2
    [8080] => 8
    [161] => 12
    [9] => 1
    [617] => 1
    [135:139] => 1
    [3372] => 1
    [6004] => 1
    [6789:6790] => 1
    [2766] => 1
    [515] => 3
    [6373] => 1
    [9090] => 2
    [123] => 1
    [518] => 1
    [635] => 3
    [2224] => 1
    [4242] => 1
    [4321] => 1
    [6112] => 1
    [32772:34000] => 1
    [749] => 3
    [751] => 3
    [1655] => 2
    [500] => 10
    [3535] => 2
    [:1023] => 2
    [1417] => 1
    [5631] => 1
    [70] => 1
    [177] => 2
    [1900] => 3
    [7001] => 1
    [32000] => 1
    [443] => 1
    [2002] => 1
    [3389] => 3
    [2533] => 1
    [27155] => 1
    [7100] => 1
    [873] => 2
    [2401] => 1
    [1723] => 2
    [179] => 2
    [3306] => 2
    [135] => 4
    [445] => 11
    [8888] => 6
    [!80] => 1
    [6699] => 1
    [7777] => 1
    [6666] => 1
    [5555] => 1
    [8875] => 1
    [1214] => 1
    [6881:6889] => 1
    [5632] => 1
    [9100] => 1
    [9000:9002] => 1
    [5800:5802] => 1
    [49] => 2
    [109] => 4
    [500:] => 6
    [513] => 5
    [514] => 4
    [512] => 1
    [113] => 1
    [3128] => 1
    [1080] => 1
    [10080:10081] => 1
    [161:162] => 2
    [162] => 4
    [705] => 1
    [1433] => 18
    [1434] => 4
    [69] => 11
    [1220] => 2
    [3000] => 1
    [8181] => 2
    [4080] => 1
    [8000] => 1
    [457] => 1
    [2301] => 2
    [1812] => 1
    [8000:8001] => 1
    [554] => 1
    [6000] => 2
)





More information about the Snort-sigs mailing list