[Snort-users] Can't suppress Tagged Packet

Rob Ward rob.ward at ...11329...
Fri May 26 07:10:03 EDT 2006


--On 26 May 2006 09:40 -0400 Joel Esler <joel.esler at ...1935...> wrote:

> Suppose you can copy and paste (take out the IP's) the alert you are
> getting?
>
> Joel

Strange - these aren't appearing in my sensors alert files only the 
database and seem to be related to the following alerts triggered by a 
Bleeding Snort Rule which DO appear in the alert file:

> [**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on
> non-std port [**] [Classification: A Network Trojan was detected]
> [Priority: 1]
> 05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800 len:0x6A
> X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172
> IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7  Ack: 0x769ADDBF  Win:
> 0xFC00  TcpLen: 20

On investigation the majority of these are false positives but some can be 
linked to Botnets.

The corresponding Tagged Packet alert that's in the database is:

> Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100
>
> -------------------------------------------------------------------------
> -----
># (6 - 221802) [2006-05-26 14:54:24] [snort/1]  Tagged Packet
> IPv4: X.X.X.X -> 85.158.9.6
>       hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965
> TCP:  port=2353 -> dport: 8000  flags=***AP*** seq=514436775
>       ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007
> Payload:  length = 52
>
> 000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65   PRIVMSG #uk_live
> 010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A   rpool_cruising :
> 020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F   ANY1 WANNA CHAT?
> 030 : 3F 3F 0D 0A                                       ??..

Thanks

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department 




More information about the Snort-users mailing list