[Snort-users] Snort rule triggered an alert, but why?

C.Prickaerts at ...5294... C.Prickaerts at ...5294...
Thu Dec 5 08:06:07 EST 2002


Hi group,

I'm doing some Snort analysis and found a packet that triggered a rule, but
can't find out why:

The rule:

alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86
inc ebx NOOP"; content:"|43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43
43 43 43 43 43 43 43|"; classtype:shellcode-detect; sid:1390; rev:3;)

The Alert:

[**] SHELLCODE x86 inc ebx NOOP [**]
12/05-09:12:11.101861 attacker:80 -> myhost:29090 TCP TTL:51 TOS:0x0
ID:62013 IpLen:20 DgmLen:1491 DF
***AP*** Seq: 0x370C8E71  Ack: 0x171E3  Win: 0x422E  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The Packet

09:12:11.101861 attacker.80 > myhost.29090: P 81915:83366(1451) ack 4487 win
16942 (DF) (ttl 51, id 62013, len 1491)
0x0000   4500 05d3 f23d 4000 3306 f981 cf2e 1c64        E....=@.3......d
0x0010   8978 e15a 0050 71a2 370c 8e71 0001 71e3        .x.Z.Pq.7..q..q.
0x0020   5018 422e 5efd 0000 4854 5450 2f31 2e31        P.B.^...HTTP/1.1
0x0030   2032 3030 204f 4b0d 0a53 6572 7665 723a        .200.OK..Server:
0x0040   204d 6963 726f 736f 6674 2d49 4953 2f35        .Microsoft-IIS/5
0x0050   2e30                                           .0

And few minutes later:

[**] SHELLCODE x86 inc ebx NOOP [**]
12/05-09:17:00.251861 attacker:80 -> myhost:29185 TCP TTL:51 TOS:0x0
ID:17396 IpLen:20 DgmLen:1491 DF
***AP*** Seq: 0x6F3476D4  Ack: 0x5F67A  Win: 0x41E0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The packet

09:17:00.251861 attacker.80 > myhost.29185: p 1:1452(1451) ack 657 win 16864
(df) (ttl 51, id 17396, len 1491)
0x0000   4500 05d3 43f4 4000 3306 a7cb cf2e 1c64        e...c. at ...7680...
0x0010   8978 e15a 0050 7201 6f34 76d4 0005 f67a        .x.z.pr.o4v....z
0x0020   5018 41e0 b7c1 0000 4854 5450 2f31 2e31        p.a.....http/1.1
0x0030   2032 3030 204f 4b0d 0a53 6572 7665 723a        .200.ok..server:
0x0040   204d 6963 726f 736f 6674 2d49 4953 2f35        .microsoft-iis/5
0x0050   2e30                                           .0

This traffic is part of ongoing HTTP traffic. Only thing I can see is that
the packets look very similar. Question is, why did snort call the Alert?
What am I overlooking?

Greets,

Chris




More information about the Snort-users mailing list