[Snort-users] Can't suppress Tagged Packet

Joel Esler joel.esler at ...1935...
Fri May 26 07:21:05 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heh.  I wrote those rules a while back before I came to work for
Sourcefire.  At the time botnets were all over the place and there was
really no way to detect how they were getting in, so I wrote them with
the theory that all botnets were IRC at the time.

(The rules are basically the same at the Snort.org rules)

The tag was included in order to do exactly that, track botnets.  I used
to log in binary mode, so when a botnet was on the network, I could
reconstruct the whole session.  Since IRC was not allowed on our
networks (I was .mil), it was easy to track down botnets (plus anyone
that was using IRC was in violation, so we got them too). However, on a
university network, this won't work, as IRC is allowed.

I would either A) remove the tag from the rule, or B) suppress actual
IRC servers based off the server IP.  Since B is alot of work, A may be
faster.

tag 'alerts' are logged to db because they are under the "log" directive
as opposed to the "alert" directive.  Therefore they go to your db, as
the actual rule that triggered it goes to the alert file.

Joel

Rob Ward wrote:
> --On 26 May 2006 09:40 -0400 Joel Esler <joel.esler at ...1935...> wrote:
> 
>> Suppose you can copy and paste (take out the IP's) the alert you are
>> getting?
>>
>> Joel
> 
> Strange - these aren't appearing in my sensors alert files only the
> database and seem to be related to the following alerts triggered by a
> Bleeding Snort Rule which DO appear in the alert file:
> 
>> [**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on
>> non-std port [**] [Classification: A Network Trojan was detected]
>> [Priority: 1]
>> 05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800
>> len:0x6A
>> X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172
>> IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7  Ack: 0x769ADDBF  Win:
>> 0xFC00  TcpLen: 20
> 
> On investigation the majority of these are false positives but some can
> be linked to Botnets.
> 
> The corresponding Tagged Packet alert that's in the database is:
> 
>> Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100
>>
>> -------------------------------------------------------------------------
>> -----
>> # (6 - 221802) [2006-05-26 14:54:24] [snort/1]  Tagged Packet
>> IPv4: X.X.X.X -> 85.158.9.6
>>       hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965
>> TCP:  port=2353 -> dport: 8000  flags=***AP*** seq=514436775
>>       ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007
>> Payload:  length = 52
>>
>> 000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65   PRIVMSG #uk_live
>> 010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A   rpool_cruising :
>> 020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F   ANY1 WANNA CHAT?
>> 030 : 3F 3F 0D 0A                                       ??..
> 
> Thanks
> 
> Rob Ward
> Network Northwest Support
> University of Liverpool
> Computing Services Department
> 
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdw6nKbCSyXHckt4RAqbXAJ9Ts4YDlhyxiIAeLNcDKHOsXJNIyQCdHGtU
lPfLiZTK0PRib3UTp8YQZSY=
=zULI
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list