[Snort-users] tfn2k snort alert at whitehats.com

Max Vision vision at ...4...
Mon Oct 16 17:03:39 EDT 2000


At 01:36 PM 10/16/2000 -0500, Erick Arturo Perez Huemer wrote:
>Every time snort-update checks whitehats.com for a new signature file, SNORT
>logs an ISD427 (tfn2k tcp possible communication)
>Here is the auth.log dump:
>Oct 16 08:01:16 thor snort[17186]: IDS427/tfn2k-tcp_possible_communication:
>199.181.107.23
>Oct 16 09:01:11 thor snort[17326]: IDS427/tfn2k-tcp_possible_communication:
>199.181.107.23
>Oct 16 10:01:12 thor snort[17470]: IDS427/tfn2k-tcp_possible_communication:
>199.181.107.23
>
>Strange is that in my /var/log/snort there is no entry for that IP so no
>packets have been logged  and no actual packet data is available.
>
>Is this normal or am i doing something wrong?

You are doing fine - the problem is that the signature is terrible.  It's 
too general (any type of tcp packet to any port, with a fairly bland 
content that varies in length).  We don't have regular expressions or any 
reasonable way yet to say "look for several trailing 'A' characters at the 
end of a packet".  So looking for AAAAAA in any tcp packet was the best 
that could be done.

I've deactivated the signature generation portion of this event so it won't 
show up in the configuration files, but the record can still be viewed at 
http://whitehats.com/IDS/427.  Hopefully someone will figure out a clever 
way to detect this traffic. :)

I'm cross-posting to the arachNIDS list in case someone else has a good 
idea for this rule.  The TFN2k traffic I watched looked pretty random...

Max Vision
http://whitehats.com/




More information about the Snort-users mailing list