[Snort-sigs] Sig Not Firing

Bill Scherr IV bschnzl at ...3374...
Tue Jul 7 17:13:57 EDT 2009


Matt (et al)

Jun 28 22:21:33 gw snort[5194]: Daemon initialized, signaled parent pid: 5193
Jul  7 16:30:22 gw snort[5194]: *** Caught Term-Signal

Jul  7 16:43:10 gw snort[5194]: ===============================================================================
Jul  7 16:43:15 gw snort[5194]: Snort ran for 8 Days 18 Hours 19 Minutes 43 Seconds
Jul  7 16:43:17 gw snort[5194]: Snort Analyzed 928776 Packets Per Day
Jul  7 16:43:17 gw snort[5194]: Snort Analyzed 35381 Packets Per Hour
Jul  7 16:43:17 gw snort[5194]: Snort Analyzed 588 Packets Per Minute
Jul  7 16:43:17 gw snort[5194]: Snort Analyzed 9 Packets Per Second
[...]
Jul  7 16:43:17 gw snort[5194]: ===============================================================================
Jul  7 16:43:17 gw snort[5194]: dcerpc2 Preprocessor Statistics
Jul  7 16:43:18 gw snort[5194]:   Total sessions: 799
Jul  7 16:43:18 gw snort[5194]:   Missed bytes: 27793761
Jul  7 16:43:18 gw snort[5194]:   Total sessions autodetected: 311
Jul  7 16:43:18 gw snort[5194]:   Bad autodetects: 9
Jul  7 16:43:18 gw snort[5194]:
Jul  7 16:43:18 gw snort[5194]:   Transports
Jul  7 16:43:18 gw snort[5194]:     TCP
Jul  7 16:43:18 gw snort[5194]:       Total sessions: 799
Jul  7 16:43:18 gw snort[5194]:       Packet stats
Jul  7 16:43:18 gw snort[5194]:         Packets: 1658
Jul  7 16:43:18 gw snort[5194]:
Jul  7 16:43:18 gw snort[5194]:   DCE/RPC
Jul  7 16:43:18 gw snort[5194]:     Connection oriented
Jul  7 16:43:18 gw snort[5194]:       Packet stats
Jul  7 16:43:18 gw snort[5194]:         Packets: 1658
Jul  7 16:43:18 gw snort[5194]:         Bind: 76
Jul  7 16:43:18 gw snort[5194]:         Bind Ack: 0
Jul  7 16:43:18 gw snort[5194]:         Other response type: 5
Jul  7 16:43:18 gw snort[5194]:         Fragments: 0
Jul  7 16:43:18 gw snort[5194]:         Max fragment size: 0
Jul  7 16:43:18 gw snort[5194]:         Reassembled: 0
Jul  7 16:43:18 gw snort[5194]: ===============================================================================
Jul  7 16:43:21 gw snort[5194]: Snort exiting


The box is a Pentium MMX 175MHz, 64MB RAM.  That may be too little...

B.

Circa 16:04, 7 Jul 2009, a note, claiming source Matt Watchinski <mwatchinski at ...435...>, was sent to me:

Date sent:      	Tue, 7 Jul 2009 16:04:45 -0400
Subject:        	Re: [Snort-sigs] Sig Not Firing
From:           	Matt Watchinski <mwatchinski at ...435...>
To:             	bschnzl at ...3374...
Copies to:      	snort-sigs at lists.sourceforge.net

> What is snorts output when you run this pcap with your rule?  IE whats
> in the DCERPC stats section when snort exists.
>
> -matt
>
> On Tue, Jul 7, 2009 at 3:17 PM, Bill Scherr IV<bschnzl at ...3374...> wrote:
> > Hi Folks...
> >
> > Why wont this rule fire???
> >
> > Here is the rule:
> > alert tcp $EXTERNAL_NET ANY -> $HOME_NET 1024:2048 (msg:"NETBIOS DCERPC
> > rpcmgmt ifids Unauthenticated Access"; flow:established,to_server; content:"|05|";
> > dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;
> > reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf;
> > reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf;
> > reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; classtype:attempted-recon;
> > sid:2999001; rev:1;)
> >
> > Here is the packet Hex:
> > 0000  00 14 bf 52 fe 40 00 d0 2b 77 75 01 08 00 45 20   ...R. at ...2917...2...+wu...E
> > 0010  00 70 14 b4 40 00 6b 06 xx xx dc a3 fc 38 43 a6   .p.. at ...3388...3...
> > 0020  xx xx 04 27 04 00 00 84 61 c8 c9 20 c2 24 50 18   xx.'....a.. .$P.
> > 0030  ff ff e0 a3 00 00 05 00 0b 03 10 00 00 00 48 00   ..............H.
> > 0040  00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00   ................
> > 0050  00 00 00 00 01 00 80 bd a8 af 8a 7d c9 11 be f4   ...........}....
> > 0060  08 00 2b 10 29 89 01 00 00 00 04 5d 88 8a eb 1c   ..+.)......]....
> > 0070  c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00         ......+.H`....
> >
{snipped}



Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at ...3384...
bscherr at ...3385...
703-478-7608





More information about the Snort-sigs mailing list