[Snort-users] tfn2k snort alert at whitehats.com
vision at ...4...
Mon Oct 16 17:03:39 EDT 2000
At 01:36 PM 10/16/2000 -0500, Erick Arturo Perez Huemer wrote:
>Every time snort-update checks whitehats.com for a new signature file, SNORT
>logs an ISD427 (tfn2k tcp possible communication)
>Here is the auth.log dump:
>Oct 16 08:01:16 thor snort: IDS427/tfn2k-tcp_possible_communication:
>Oct 16 09:01:11 thor snort: IDS427/tfn2k-tcp_possible_communication:
>Oct 16 10:01:12 thor snort: IDS427/tfn2k-tcp_possible_communication:
>Strange is that in my /var/log/snort there is no entry for that IP so no
>packets have been logged and no actual packet data is available.
>Is this normal or am i doing something wrong?
You are doing fine - the problem is that the signature is terrible. It's
too general (any type of tcp packet to any port, with a fairly bland
content that varies in length). We don't have regular expressions or any
reasonable way yet to say "look for several trailing 'A' characters at the
end of a packet". So looking for AAAAAA in any tcp packet was the best
that could be done.
I've deactivated the signature generation portion of this event so it won't
show up in the configuration files, but the record can still be viewed at
http://whitehats.com/IDS/427. Hopefully someone will figure out a clever
way to detect this traffic. :)
I'm cross-posting to the arachNIDS list in case someone else has a good
idea for this rule. The TFN2k traffic I watched looked pretty random...
More information about the Snort-users