[Snort-users] Snort frustration

Joel Esler joel.esler at ...1935...
Fri Jun 2 12:36:35 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are you sure barnyard is reading the properly updated sig-msg.map file?

Joel

Humes, David G. wrote:
> I added this rule to look for Google Desktop traffic.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Google
> Desktop User-Agent detected"; flow:established,to_server; content:"GET
> "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Mozilla/4.0
> (compatible\; Google Desktop)"; nocase; threshold:type limit,track
> by_src, count 1,seconds 300; classtype:policy-violation; sid:8001018;
> rev:1;)
> 
> And it appears to have fired on this packet.
> 
> Generated by BASE v1.2.4 (melissa) on Fri,  2 Jun 2006 12:14:38 -0400
> 
> ------------------------------------------------------------------------
> ------
> #(1 - 3031457) [2006-06-02 11:46:34] [local/8001018] [snort/8001018]
> Google Desktop User-Agent detected
> IPv4: 192.168.1.100 -> 216.239.39.99
>       hlen=5 TOS=0 dlen=83 ID=9124 flags=2 offset=0 TTL=126 chksum=65404
> TCP:  port=2181 -> dport: 80  flags=***AP*** seq=395991789
>       ack=781565658 off=5 res=0 win=65535 urp=0 chksum=64289
> Payload:  length = 43
> 
> 000 : 47 45 54 20 2F 64 73 6E 65 77 73 3F 6A 3D 36 26   GET /dsnews?j=6&
> 010 : 68 6C 3D 65 6E 26 65 64 3D 63 6F 6D 26 76 3D 32   hl=en&ed=com&v=2
> 020 : 20 48 54 54 50 2F 31 2E 31 0D 0A                   HTTP/1.1..
> 
> This is a continual frustration, where a rule fires and the payload does
> not match.  Most of the time, the payload does match.  But, it's not
> hard to find instances like the one above.  Can anyone offer some
> reasons why this may be occurring and what can be done to correct the
> problem.  Was there some payload that really did match and it's just
> showing the wrong payload?  Or did the detection engine just mess up?  
> 
> We're running Version 2.4.3 (Build 26), but this problem has been with
> us through two generations of Snort senors and numerous versions.  We
> use Barnyard and unified logging, but the problem was seen before we
> implemented Baryard.  Any help would be greatly appreciated.
> 
> -Dave
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

- --
+---------------------------------------------------------------------+
Joel Esler  	     Senior Security Consultant 	1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
GPG Key http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEgGkTKbCSyXHckt4RAqd9AKCB/mUcfnHuO4ld9pixNt6bvNhA/ACfVLoA
IIem+mi7P5/SHmGcGheDoKk=
=8Eua
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list