[Snort-users] Can't suppress Tagged Packet

Bamm Visscher bamm.visscher at ...11827...
Fri May 26 07:23:04 EDT 2006


The won't be in your alert file as the tagged packets are a "log" func.

That rule most definately uses the "tag" keyword.

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:
"BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port";
flow: to_server,established; dsize: <64; content:"NICK "; nocase;
offset: 0; depth: 5; tag: session,300,seconds; classtype:
trojan-activity; sid: 2000345; rev:5; )

Bammkkkk

On 5/26/06, Rob Ward <rob.ward at ...11329...> wrote:
> --On 26 May 2006 09:40 -0400 Joel Esler <joel.esler at ...1935...> wrote:
>
> > Suppose you can copy and paste (take out the IP's) the alert you are
> > getting?
> >
> > Joel
>
> Strange - these aren't appearing in my sensors alert files only the
> database and seem to be related to the following alerts triggered by a
> Bleeding Snort Rule which DO appear in the alert file:
>
> > [**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on
> > non-std port [**] [Classification: A Network Trojan was detected]
> > [Priority: 1]
> > 05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800 len:0x6A
> > X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172
> > IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7  Ack: 0x769ADDBF  Win:
> > 0xFC00  TcpLen: 20
>
> On investigation the majority of these are false positives but some can be
> linked to Botnets.
>
> The corresponding Tagged Packet alert that's in the database is:
>
> > Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100
> >
> > -------------------------------------------------------------------------
> > -----
> ># (6 - 221802) [2006-05-26 14:54:24] [snort/1]  Tagged Packet
> > IPv4: X.X.X.X -> 85.158.9.6
> >       hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965
> > TCP:  port=2353 -> dport: 8000  flags=***AP*** seq=514436775
> >       ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007
> > Payload:  length = 52
> >
> > 000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65   PRIVMSG #uk_live
> > 010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A   rpool_cruising :
> > 020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F   ANY1 WANNA CHAT?
> > 030 : 3F 3F 0D 0A                                       ??..
>
> Thanks
>
> Rob Ward
> Network Northwest Support
> University of Liverpool
> Computing Services Department
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list