[Snort-users] whatis database
dr at ...381...
Fri Sep 22 21:51:44 EDT 2000
A short version for this and similar queries.
The first place to look for this stuff is in the rules file.
It's syntax is simple... one line per rule. That will tell you what in the
packet set this off. Not that I'm suggesting this will illuminate the
whole picture for you, but it will be the first step.
Then once you've glanced through this... have a look at
the existing docs. We all know they need more detail and
updating in some cases but they will be a good start.
www.snort.org is a good place to start. I know everyone
hates to hear RTFM... but....
The second top level thing I would mention is that there are
two classes of rules that you should be aware of... the content
triggered rules that are based on some pattern known to occur
in a specific attack(like your first example which is a windows
smb file browser, and the port based trojan detection rules (your
second query). The port based trojan detection will go off
anytime there is traffic to that port because that port is
the default listen port of commonly accessible trojans...
It falses often and can be set off by application traffic
using that port range even randomly assigned sometimes.
On Fri, 22 Sep 2000, amp wrote:
> I'd like to know if someone out there knows where a good place would be to look
> up some of the things that snort is flagging.
> For instance, I see a bunch of these daily.
> [**] IDS177/netbios-name-query [**]
> 09/22-04:09:05.968366 18.104.22.168:137 -> 22.214.171.124:137
> UDP TTL:114 TOS:0x0 ID:8267
> Len: 58
> 16 03 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA
> 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
> 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
> 00 01 ..
> I looked around the snort site, and various other places linked off the page to
> see exactly what it is. My guess it's just a Win machine firing up on my local
> network doing a netbios query, but I can't seem to locate a place where the
> stuff that is flagged in the vision.rules file is documented for =why= a given
> packet is logged as opposed to others.
> More critically, I got one today that says...
> /var/log/snort $ cat 126.96.36.199/TCP:3791-1115
> [**] IDS42/trojan-active-totaleclipse [**]
> 09/21-21:51:09.784529 188.8.131.52:3791 -> 184.108.40.206:1115
> TCP TTL:64 TOS:0x0 ID:21024 DF
> **S***A* Seq: 0x6593A1EC Ack: 0x53A6C7 Win: 0x7D78
> TCP Options => MSS: 1460 NOP NOP SackOK
> >From the description, it doesn't look like it's something that plays well
> with others. I'd like to know if it is probing for the existance of a trojan
> or if the trojan has already nailed me.
> amp at ...492...
> Never be afraid to try something new.
> Remember, amateurs built the ark.
> Professionals built the Titanic.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Dragos Ruiu <dr at ...50...> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net
More information about the Snort-users