[Snort-users] Snort rule triggered an alert, but why?

Chris Green cmg at ...1935...
Thu Dec 5 08:28:05 EST 2002


C.Prickaerts at ...5294... writes:

> Hi group,
>
> I'm doing some Snort analysis and found a packet that triggered a rule, but
> can't find out why:

This looks like a bug with double alerting after a successful attack
which was fixed in 1.9 CVS a bit ago.  Soon, 1.9.1 should be coming
out but feel free to upgrade to the head of the SNORT_1_9 branch.

Cheers,
Chris
>
> The rule:
>
> alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86
> inc ebx NOOP"; content:"|43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43
> 43 43 43 43 43 43 43|"; classtype:shellcode-detect; sid:1390; rev:3;)
>
> The Alert:
>
> [**] SHELLCODE x86 inc ebx NOOP [**]
> 12/05-09:12:11.101861 attacker:80 -> myhost:29090 TCP TTL:51 TOS:0x0
> ID:62013 IpLen:20 DgmLen:1491 DF
> ***AP*** Seq: 0x370C8E71  Ack: 0x171E3  Win: 0x422E  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> The Packet
>
> 09:12:11.101861 attacker.80 > myhost.29090: P 81915:83366(1451) ack 4487 win
> 16942 (DF) (ttl 51, id 62013, len 1491)
> 0x0000   4500 05d3 f23d 4000 3306 f981 cf2e 1c64        E....=@.3......d
> 0x0010   8978 e15a 0050 71a2 370c 8e71 0001 71e3        .x.Z.Pq.7..q..q.
> 0x0020   5018 422e 5efd 0000 4854 5450 2f31 2e31        P.B.^...HTTP/1.1
> 0x0030   2032 3030 204f 4b0d 0a53 6572 7665 723a        .200.OK..Server:
> 0x0040   204d 6963 726f 736f 6674 2d49 4953 2f35        .Microsoft-IIS/5
> 0x0050   2e30                                           .0
>
> And few minutes later:
>
> [**] SHELLCODE x86 inc ebx NOOP [**]
> 12/05-09:17:00.251861 attacker:80 -> myhost:29185 TCP TTL:51 TOS:0x0
> ID:17396 IpLen:20 DgmLen:1491 DF
> ***AP*** Seq: 0x6F3476D4  Ack: 0x5F67A  Win: 0x41E0  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> The packet
>
> 09:17:00.251861 attacker.80 > myhost.29185: p 1:1452(1451) ack 657 win 16864
> (df) (ttl 51, id 17396, len 1491)
> 0x0000   4500 05d3 43f4 4000 3306 a7cb cf2e 1c64        e...c. at ...7680...
> 0x0010   8978 e15a 0050 7201 6f34 76d4 0005 f67a        .x.z.pr.o4v....z
> 0x0020   5018 41e0 b7c1 0000 4854 5450 2f31 2e31        p.a.....http/1.1
> 0x0030   2032 3030 204f 4b0d 0a53 6572 7665 723a        .200.ok..server:
> 0x0040   204d 6963 726f 736f 6674 2d49 4953 2f35        .microsoft-iis/5
> 0x0050   2e30                                           .0
>
> This traffic is part of ongoing HTTP traffic. Only thing I can see is that
> the packets look very similar. Question is, why did snort call the Alert?
> What am I overlooking?
>
> Greets,
>
> Chris
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Chris Green <cmg at ...1935...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-users mailing list