[Snort-users] What wins? TCP headers or packet contents?

John Sage jsage at ...2022...
Tue Sep 10 23:14:04 EDT 2002


Let me bring the question up to the top:

> So the question for the snort list is:

> What wins:

> TCP header stuff: i.e. the destination port,

> or,

> Packet contents stuff: i.e. a hex series within the payload of a
> packet, but with no match on destination port?

<snip>


Executive summary:

Twice (once real-time, once on replay against a binary log file) I
have packets matching an rpc.rules by content (a hex sequence) but not
by the destination port stated in the rule.

- John


----- Forwarded message from John Sage <jsage at ...2022...> -----

Date: Tue, 10 Sep 2002 22:01:55 -0700
From: John Sage <jsage at ...2022...>
To: "Smith, Donald " <Donald.Smith at ...6864...>
Subject: Re: [LOGS] 09/06-09/02 - 72 hour ACID summary
User-Agent: Mutt/1.2.5i


Donald:

On Tue, Sep 10, 2002 at 09:12:08PM -0600, Smith, Donald  wrote:
> Ok what version of snort and what rules?
> This is wrong very wrong, if its fixed 
> I dont care. If its still broke it needs to be
> fixed:-)
> Thanks

Various spec's:

[toot at ...2057... /storage/snort/old_snorts/090802]# snort -V

-*> Snort! <*-
Version 1.8.7 (Build 128)
By Martin Roesch (roesch at ...1935..., www.snort.org)
[root at ...2057... /storage/snort/old_snorts/090802]# 


[toot at ...2057... /usr/local/snort-rules]# grep /usr/local/snort-rules/rstat *

rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
sid:1278;  rev:3;)


[toot at ...2057... /usr/local/snort-rules]# more rpc.rules
# (C) Copyright 2001, Martin Roesch, Brian Caswell, et al.  All rights reserved.
# $Id: rpc.rules,v 1.21.2.9 2002/06/05 15:16:21 cazz Exp $
#----------
# RPC RULES
#----------
<snip>


[toot at ...2057... /]# tcpdump -V
tcpdump version 3.6
libpcap version 0.6
Usage: tcpdump [-adeflnNOpqStuvxX] [-c count] [ -F file ]
		[ -i interface ] [ -r file ] [ -s snaplen ]
		[ -T type ] [ -w file ] [ expression ]

which is identical to my firewall box...


Check out what happens when I replay the binary snort log for that
time period against my snort187check script, which is identical to my
firewall snort configuration except that it runs against *all* rules:

Again, we get:

<snip>
[**] [1:1278:3] RPC rstatd query [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/08/02-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
[Xref => http://www.whitehats.com/info/IDS9]
<snip>

which is this packet, by timestamp, and which I am certain is a
portion of a gzipped file:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
0x0000: 45 00 05 DC FA ED 40 00 31 06 4A BA 3F 64 2F 2D  E..... at ...6865...?d/-
0x0010: 0C 52 83 91 00 50 F8 0A E9 A9 91 72 E9 92 6F EA  .R...P.....r..o.
0x0020: 80 10 19 20 DD C3 00 00 01 01 08 0A 5C D1 7E 26  ... ........\.~&
0x0030: 19 7D 82 86 

                    5F 46 36 63 49 66 61 57 3A 68 32 61  .}.._F6cIfaW:h2a
0x0040: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 41 36  F|c7mHcIf2_.i at ...6866...
0x0050: 75 3A 49 68 5F 46 36 63 49 66 61 57 3A 68 32 61  u:Ih_F6cIfaW:h2a
0x0060: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 48 7D  F|c7mHcIf2_.i at ...2576...}
0x0070: 38 6A 79 38 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D  8jy8YjV(.Bzu::dm
0x0080: 49 68 64 3B 20 57 53 53 5F 47 57 3D 56 31 41 6C  Ihd; WSS_GW=V1Al
0x0090: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
0x00A0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
0x00B0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
0x00C0: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
0x00D0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
0x00E0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
0x00F0: 51 41 6C 51 7A 25 72 42 51 25 5E 25 72 40 69 3B  QAlQz%rBQ%^%r at ...899...;
0x0100: 20 43 54 47 3D 31 30 32 35 31 39 31 39 31 39 0D   CTG=1025191919.
0x0110: 0A 0D 47 3D 1B 3D 58 0D 02 00 9A 05 00 00 9A 05  ..G=.=X.........
0x0120: 00 00 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00  .......3....&...
0x0130: 45 00 05 8C EB 04 40 00 73 06 FC 52 CC 11 72 09  E..... at ...6867...
0x0140: 2E 05 B4 FA 00 50 F9 C1 B3 D2 78 9D 00 01 65 80  .....P....x...e.
0x0150: 50 10 40 B0 46 75 00 00 86 A2 00 00 00 02 00 00  P. at ...6868...
0x0160: 00 00 00 00 00 01 00 00 00 96 00 00 00 00 00 00  ................
0x0170: 00 96 00 00 00 40 00 00 00 00 00 00 00 00 00 00  ..... at ...4535...
0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0190: 00 00 00 00 00 00 00 00 00 00 02 00 01 86 A1 00  ................
                 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
<snip>

The offset seems different, but only because we have IP and TCP
headers, above.

Original post:

> > > > 
> > > > 09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
> > > > TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
> > > > ***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
> > > > TCP Options (3) => NOP NOP TS: 1557233190 427655814 
> > > > 5F 46 36 63 49 66 61 57 3A 68 32 61 46 7C 63 37  _F6cIfaW:h2aF|c7
> > > > 6D 48 63 49 66 32 5F 2E 69 40 41 36 75 3A 49 68  mHcIf2_.i at ...6869...:Ih
> > > > 5F 46 36 63 49 66 61 57 3A 68 32 61 46 7C 63 37  _F6cIfaW:h2aF|c7
> > > > 6D 48 63 49 66 32 5F 2E 69 40 48 7D 38 6A 79 38  mHcIf2_.i at ...2576...}8jy8
> > > > 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D 49 68 64 3B  YjV(.Bzu::dmIhd;
> > > > 20 57 53 53 5F 47 57 3D 56 31 41 6C 51 41 6C 51   WSS_GW=V1AlQAlQ
> > > > 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
> > > > 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
> > > > 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
> > > > 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
> > > > 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
> > > > 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
> > > > 7A 25 72 42 51 25 5E 25 72 40 69 3B 20 43 54 47  z%rBQ%^%r at ...899...; CTG
> > > > 3D 31 30 32 35 31 39 31 39 31 39 0D 0A 0D 47 3D  =1025191919...G=
> > > > 1B 3D 58 0D 02 00 9A 05 00 00 9A 05 00 00 00 00  .=X.............
> > > > 0C 04 B2 33 00 03 E3 D9 26 C0 08 00 45 00 05 8C  ...3....&...E...
> > > > EB 04 40 00 73 06 FC 52 CC 11 72 09 2E 05 B4 FA  .. at ...6870...
> > > > 00 50 F9 C1 B3 D2 78 9D 00 01 65 80 50 10 40 B0  .P....x...e.P. at ...843...
> > > > 46 75 00 00 86 A2 00 00 00 02 00 00 00 00 00 00  Fu..............
> > > > 00 01 00 00 00 96 00 00 00 00 00 00 00 96 00 00  ................
> > > > 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00  . at ...2924...
> > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > > > 00 00 00 00 00 00 02 00 01 86 A1 00 00 00 02 00  ................
> > > > ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
> > > > <snip>

So the question for the snort list is:

What wins:

TCP header stuff: i.e. the destination port,

or,

Packet contents stuff: i.e. a hex series within the payload of a
packet, but with no match on destination port?


heh..

I hate it when this happens.


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

----- End forwarded message -----




More information about the Snort-users mailing list