[Snort-users] Experimenting with TAG, question

Martin Roesch roesch at ...1935...
Mon Oct 14 06:33:10 EDT 2002


Looks like the tag rule captured those packets due to the 2nd packet  
setting the tag.

      -Marty

On Sunday, October 13, 2002, at 10:23 PM, Rich Adamson wrote:

> I've been experimenting with the TAG option as shown in the following  
> rule:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
> (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1
> request, OpenSSL worm probe"; content:"GET / HTTP/1.1|0d 0a 0d 0a|";  
> tag:host,4,packets,src;
> offset:0; depth:18; classtype:web-application-activity; sid:1881;  
> rev:1;)
>
> The log entries below are the first that I've had that appear to be the
> result of the tag option. It would appear the above rule logged the  
> second
> entry in the log file entries shown below, but not sure if the TAG  
> option
> actually created the next three packets (3rd, 4th, & 5th).
>
> Can anyone comment?
>
>
> << Log entry for port 80 associated with above rule >>
>
> 10/13-06:11:15.757162 0:5:5E:2E:27:8D -> 0:A0:CC:5D:91:E0 type:0x800  
> len:0x42
> 218.63.92.11:4876 -> a.b.c.d:80 TCP TTL:47 TOS:0x0 ID:56140 IpLen:20  
> DgmLen:52 DF
> ***A**** Seq: 0x414F0097  Ack: 0x356DFE1A  Win: 0x16B0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 45669448 681081338
> 0x0000: 00 A0 CC 5D 91 E0 00 05 5E 2E 27 8D 08 00 45 00   
> ...]....^.'...E.
> 0x0010: 00 34 DB 4C 40 00 2F 06 AA 04 DA 3F 5C 0B CE DE   
> .4.L at ...843.../....?\...
> 0x0020: C1 49 13 0C 00 50 41 4F 00 97 35 6D FE 1A 80 10   
> .I...PAO..5m....
> 0x0030: 16 B0 8F 3C 00 00 01 01 08 0A 02 B8 DC 48 28 98   
> ...<.........H(.
> 0x0040: 79 FA                                            y.
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 
> +=+
>
> [**] EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack  
> [**]
> 10/13-06:11:15.764518 0:5:5E:2E:27:8D -> 0:A0:CC:5D:91:E0 type:0x800  
> len:0x54
> 218.63.92.11:4876 -> a.b.c.d:80 TCP TTL:47 TOS:0x0 ID:56141 IpLen:20  
> DgmLen:70 DF
> ***AP*** Seq: 0x414F0097  Ack: 0x356DFE1A  Win: 0x16B0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 45669448 681081338
> 0x0000: 00 A0 CC 5D 91 E0 00 05 5E 2E 27 8D 08 00 45 00   
> ...]....^.'...E.
> 0x0010: 00 46 DB 4D 40 00 2F 06 A9 F1 DA 3F 5C 0B CE DE   
> .F.M at ...843.../....?\...
> 0x0020: C1 49 13 0C 00 50 41 4F 00 97 35 6D FE 1A 80 18   
> .I...PAO..5m....
> 0x0030: 16 B0 B0 81 00 00 01 01 08 0A 02 B8 DC 48 28 98   
> .............H(.
> 0x0040: 79 FA 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31  y.GET /  
> HTTP/1.1
> 0x0050: 0D 0A 0D 0A                                      ....
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 
> +=+
>
> 10/13-06:11:15.764737 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800  
> len:0x42
> a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10377 IpLen:20  
> DgmLen:52 DF
> ***A**** Seq: 0x356DFE1A  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 681081442 45669448
> 0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00   
> ..^.'....]....E.
> 0x0010: 00 34 28 89 40 00 40 06 4B C8 CE DE C1 49 DA 3F   
> .4(. at ...843...@.K....I.?
> 0x0020: 5C 0B 00 50 13 0C 35 6D FE 1A 41 4F 00 A9 80 10   
> \..P..5m..AO....
> 0x0030: 7E DC 26 96 00 00 01 01 08 0A 28 98 7A 62 02 B8   
> ~.&.......(.zb..
> 0x0040: DC 48                                            .H
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 
> +=+
>
> 10/13-06:11:15.766141 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800  
> len:0x29D
> a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10378 IpLen:20  
> DgmLen:655 DF
> ***AP*** Seq: 0x356DFE1A  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 681081442 45669448
> 0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00   
> ..^.'....]....E.
> 0x0010: 02 8F 28 8A 40 00 40 06 49 6C CE DE C1 49 DA 3F   
> ..(. at ...843...@.Il...I.?
> 0x0020: 5C 0B 00 50 13 0C 35 6D FE 1A 41 4F 00 A9 80 18   
> \..P..5m..AO....
> 0x0030: 7E DC 49 26 00 00 01 01 08 0A 28 98 7A 62 02 B8   
> ~.I&......(.zb..
> 0x0040: DC 48 48 54 54 50 2F 31 2E 31 20 34 30 30 20 42  .HHTTP/1.1  
> 400 B
> 0x0050: 61 64 20 52 65 71 75 65 73 74 0D 0A 44 61 74 65  ad  
> Request..Date
> 0x0060: 3A 20 53 75 6E 2C 20 31 33 20 4F 63 74 20 32 30  : Sun, 13 Oct  
> 20
> 0x0070: 30 32 20 31 31 3A 31 32 3A 32 37 20 47 4D 54 0D  02 11:12:27  
> GMT.
> 0x0080: 0A 53 65 72 76 65 72 3A 20 41 70 61 63 68 65 2F  .Server:  
> Apache/
> 0x0090: 31 2E 33 2E 31 34 20 28 55 6E 69 78 29 20 20 28  1.3.14 (Unix)  
>  (
> 0x00A0: 52 65 64 2D 48 61 74 2F 4C 69 6E 75 78 29 20 50   
> Red-Hat/Linux) P
> 0x00B0: 48 50 2F 33 2E 30 2E 31 37 20 6D 6F 64 5F 70 65  HP/3.0.17  
> mod_pe
> 0x00C0: 72 6C 2F 31 2E 32 33 0D 0A 43 6F 6E 6E 65 63 74   
> rl/1.23..Connect
> 0x00D0: 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 54 72 61 6E  ion:  
> close..Tran
> 0x00E0: 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 63   
> sfer-Encoding: c
> 0x00F0: 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E 74 2D   
> hunked..Content-
> 0x0100: 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 3B  Type:  
> text/html;
> 0x0110: 20 63 68 61 72 73 65 74 3D 69 73 6F 2D 38 38 35    
> charset=iso-885
> 0x0120: 39 2D 31 0D 0A 0D 0A 31 36 61 0D 0A 3C 21 44 4F   
> 9-1....16a..<!DO
> 0x0130: 43 54 59 50 45 20 48 54 4D 4C 20 50 55 42 4C 49  CTYPE HTML  
> PUBLI
> 0x0140: 43 20 22 2D 2F 2F 49 45 54 46 2F 2F 44 54 44 20  C  
> "-//IETF//DTD
> 0x0150: 48 54 4D 4C 20 32 2E 30 2F 2F 45 4E 22 3E 0A 3C  HTML  
> 2.0//EN">.<
> 0x0160: 48 54 4D 4C 3E 3C 48 45 41 44 3E 0A 3C 54 49 54   
> HTML><HEAD>.<TIT
> 0x0170: 4C 45 3E 34 30 30 20 42 61 64 20 52 65 71 75 65  LE>400 Bad  
> Reque
> 0x0180: 73 74 3C 2F 54 49 54 4C 45 3E 0A 3C 2F 48 45 41   
> st</TITLE>.</HEA
> 0x0190: 44 3E 3C 42 4F 44 59 3E 0A 3C 48 31 3E 42 61 64   
> D><BODY>.<H1>Bad
> 0x01A0: 20 52 65 71 75 65 73 74 3C 2F 48 31 3E 0A 59 6F    
> Request</H1>.Yo
> 0x01B0: 75 72 20 62 72 6F 77 73 65 72 20 73 65 6E 74 20  ur browser  
> sent
> 0x01C0: 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74  a request  
> that t
> 0x01D0: 68 69 73 20 73 65 72 76 65 72 20 63 6F 75 6C 64  his server  
> could
> 0x01E0: 20 6E 6F 74 20 75 6E 64 65 72 73 74 61 6E 64 2E   not  
> understand.
> 0x01F0: 3C 50 3E 0A 63 6C 69 65 6E 74 20 73 65 6E 74 20  <P>.client  
> sent
> 0x0200: 48 54 54 50 2F 31 2E 31 20 72 65 71 75 65 73 74  HTTP/1.1  
> request
> 0x0210: 20 77 69 74 68 6F 75 74 20 68 6F 73 74 6E 61 6D   without  
> hostnam
> 0x0220: 65 20 28 73 65 65 20 52 46 43 32 30 36 38 20 73  e (see  
> RFC2068 s
> 0x0230: 65 63 74 69 6F 6E 20 39 2C 20 61 6E 64 20 31 34  ection 9, and  
> 14
> 0x0240: 2E 32 33 29 3A 20 2F 3C 50 3E 0A 3C 48 52 3E 0A  .23):  
> /<P>.<HR>.
> 0x0250: 3C 41 44 44 52 45 53 53 3E 41 70 61 63 68 65 2F   
> <ADDRESS>Apache/
> 0x0260: 31 2E 33 2E 31 34 20 53 65 72 76 65 72 20 61 74  1.3.14 Server  
> at
> 0x0270: 20 77 77 77 20 50 6F 72 74 20 38 30 3C 2F 41 44   www Port  
> 80</AD
> 0x0280: 44 52 45 53 53 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F   
> DRESS>.</BODY></
> 0x0290: 48 54 4D 4C 3E 0A 0D 0A 30 0D 0A 0D 0A           HTML>...0....
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 
> +=+
>
> 10/13-06:11:15.769260 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800  
> len:0x42
> a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10381 IpLen:20  
> DgmLen:52 DF
> ***A***F Seq: 0x356E0075  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 681081443 45669448
> 0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00   
> ..^.'....]....E.
> 0x0010: 00 34 28 8D 40 00 40 06 4B C4 CE DE C1 49 DA 3F   
> .4(. at ...843...@.K....I.?
> 0x0020: 5C 0B 00 50 13 0C 35 6E 00 75 41 4F 00 A9 80 11   
> \..P..5n.uAO....
> 0x0030: 7E DC 24 39 00 00 01 01 08 0A 28 98 7A 63 02 B8   
> ~.$9......(.zc..
> 0x0040: DC 48                                            .H
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 
> +=+
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list