[Snort-users] Snort frustration

Paul Schmehl pauls at ...6838...
Fri Jun 2 15:22:46 EDT 2006


Humes, David G. wrote:
> I added this rule to look for Google Desktop traffic.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Google
> Desktop User-Agent detected"; flow:established,to_server; content:"GET
> "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Mozilla/4.0
> (compatible\; Google Desktop)"; nocase; threshold:type limit,track
> by_src, count 1,seconds 300; classtype:policy-violation; sid:8001018;
> rev:1;)
> 
> And it appears to have fired on this packet.
> 
> Generated by BASE v1.2.4 (melissa) on Fri,  2 Jun 2006 12:14:38 -0400
> 
> ------------------------------------------------------------------------
> ------
> #(1 - 3031457) [2006-06-02 11:46:34] [local/8001018] [snort/8001018]
> Google Desktop User-Agent detected
> IPv4: 192.168.1.100 -> 216.239.39.99

dig -x 216.239.39.99

; <<>> DiG 9.3.1 <<>> -x 216.239.39.99
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10374
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;99.39.239.216.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
39.239.216.in-addr.arpa. 60     IN      SOA     ns1.google.com. 
dns-admin.google.com. 2004031201 21600 3600 1038800 60

whois 216.239.39.99

OrgName:    Google Inc.
OrgID:      GOGL
Address:    1600 Amphitheatre Parkway
City:       Mountain View
StateProv:  CA
PostalCode: 94043
Country:    US

NetRange:   216.239.32.0 - 216.239.63.255
CIDR:       216.239.32.0/19
NetName:    GOOGLE

That's a Google-owned address.  I'm betting it's Google Desktop.

>       hlen=5 TOS=0 dlen=83 ID=9124 flags=2 offset=0 TTL=126 chksum=65404
> TCP:  port=2181 -> dport: 80  flags=***AP*** seq=395991789
>       ack=781565658 off=5 res=0 win=65535 urp=0 chksum=64289
> Payload:  length = 43
> 
> 000 : 47 45 54 20 2F 64 73 6E 65 77 73 3F 6A 3D 36 26   GET /dsnews?j=6&
> 010 : 68 6C 3D 65 6E 26 65 64 3D 63 6F 6D 26 76 3D 32   hl=en&ed=com&v=2
> 020 : 20 48 54 54 50 2F 31 2E 31 0D 0A                   HTTP/1.1..

What's on line 030, 040, etc.?  Do you have a pcap?  It looks like your 
rule is doing exactly what you would expect it to do, but you're not 
capturing (or at least seeing in BASE) the remainder of the packet.  The 
UserAgent info follows the GET *and* the HTTP/1.1, so it's further down 
in the packet.

-- 
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5007 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060602/ab6ec821/attachment.bin>


More information about the Snort-users mailing list