[Snort-users] darpa dataset problem(zero alert)

mehdi maleki mehdimlk2003 at ...131...
Wed Aug 13 16:03:51 EDT 2014


default configuration of rule doesn't generate alert, so i changed some in snort.conf (enable some alert). near 23000 alert generated, but there isn't gid=1. general alert didn't generated in my output alert file.while in your output there are many gid=1 alert. which section responsible of gid=1 alerts? what changes do i need to perform in snort.conf file to have output same to you? i attache my snort.conf file & alert file. 
thanks.
m. maleki



On Tuesday, August 12, 2014 10:51 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
 


On Aug 7, 2014, at 11:42 AM, Joel Esler <jesler at ...589...> wrote:


On Aug 6, 2014, at 3:42 AM, mehdi maleki <mehdimlk2003 at ...131...> wrote:
>
>
>>I’ve read faq but there is any solution for my problem.
>>
>Can you post the link to the darpa pcap you are using?
>
So, I ran the pcap you provided the link to against my Snort instance with all the rules turned on, I get a couple alerts:

1:22114:5       SERVER-MAIL Metamail header length exploit attempt               Alerts: 6
1:1213:13       SERVER-WEBAPP backup access                                      Alerts: 4
1:22115:5       SERVER-MAIL Metamail header length exploit attempt               Alerts: 750
1:17152:6       SERVER-SAMBA Samba smbd flags2 header parsing denial of service attempt     Alerts: 2
1:218:8         MALWARE-BACKDOOR MISC Solaris 2.5 attempt                        Alerts: 1
1:1648:20       SERVER-WEBAPP perl.exe command attempt                           Alerts: 2
1:15935:6       PROTOCOL-DNS dns response for rfc1918 192.168/16 address detected     Alerts: 1261
1:4675:10       FILE-FLASH Adobe Flash DOACTION tag overflow attempt             Alerts: 1
1:648:14        INDICATOR-SHELLCODE x86 NOOP                                     Alerts: 17
1:1437:27       FILE-IDENTIFY Microsoft Windows Media download detected          Alerts: 1
1:368:10        PROTOCOL-ICMP PING BSDtype                                       Alerts: 30
1:1668:14       SERVER-WEBAPP /cgi-bin/ access                                   Alerts: 1
1:1288:16       SERVER-OTHER Microsoft Frontpage /_vti_bin/ access               Alerts: 9
1:15934:6       PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected     Alerts: 4653
1:853:17        SERVER-WEBAPP wrap access                                        Alerts: 4
1:4135:19       BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt     Alerts: 13
1:1729:15       POLICY-SOCIAL IRC channel join                                   Alerts: 7
1:839:20        SERVER-WEBAPP finger access                                      Alerts: 8
1:31406:1       SERVER-OTHER Samsung TV denial of service attempt                Alerts: 41
1:1024:20       SERVER-IIS newdsn.exe access                                     Alerts: 1
1:2921:10       PROTOCOL-DNS UDP inverse query                                   Alerts: 5
1:24304:2       PROTOCOL-DNS dead alive6 DNS attempt                             Alerts: 2
1:13948:11      PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning     Alerts: 980
1:1029:18       SERVER-IIS scripts-browse access                                 Alerts: 1
1:2134:14       SERVER-IIS register.asp access                                   Alerts: 4
1:18809:9       BROWSER-FIREFOX Mozilla EnsureCachedAttrParamArrays integer overflow attempt     Alerts: 2
1:384:8         PROTOCOL-ICMP PING                                               Alerts: 227
1:1201:13       INDICATOR-COMPROMISE 403 Forbidden                               Alerts: 71
1:402:11        PROTOCOL-ICMP Destination Unreachable Port Unreachable           Alerts: 938
1:19177:7       SERVER-WEBAPP cookiejacking attempt                              Alerts: 2
1:8759:12       BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.SequencerControl ActiveX clsid access     Alerts: 4
1:895:19        SERVER-WEBAPP redirect access                                    Alerts: 41
1:882:17        SERVER-WEBAPP calendar access                                    Alerts: 35
1:1012:21       SERVER-IIS fpcount attempt                                       Alerts: 6
129:12:1        Consecutive TCP small segments exceeding threshold               Alerts: 151
1:23362:3       SERVER-IIS tilde character file name discovery attempt           Alerts: 2
1:19669:7       POLICY-OTHER Telnet protocol specifier in web page attempt       Alerts: 1
119:31:1        (http_inspect) UNKNOWN METHOD                                    Alerts: 2
1:1309:20       SERVER-WEBAPP zsh access                                         Alerts: 25
1:408:8         PROTOCOL-ICMP Echo Reply                                         Alerts: 218
1:1417:16       PROTOCOL-SNMP request udp                                        Alerts: 1320
1:1025:18       SERVER-IIS perl access                                           Alerts: 1
1:718:16        PROTOCOL-TELNET login incorrect                                  Alerts: 40
1:1156:17       SERVER-WEBAPP apache directory disclosure attempt                Alerts: 40
1:17276:15      FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt     Alerts: 2
1:1077:19       SQL queryhit.htm access                                          Alerts: 1
1:1463:15       POLICY-SOCIAL IRC message                                        Alerts: 98
1:17410:15      OS-WINDOWS Generic HyperLink buffer overflow attempt             Alerts: 40
1:2066:12       SERVER-WEBAPP Lotus Notes .pl script source download attempt     Alerts: 1
1:23861:7       FILE-OTHER heapspray characters detected - binary                Alerts: 2
1:29456:2       PROTOCOL-ICMP Unusual PING detected                              Alerts: 227
1:1292:12       INDICATOR-COMPROMISE directory listing                           Alerts: 12
1:1693:8        SERVER-ORACLE create table attempt                               Alerts: 1
1:1679:8        SERVER-ORACLE describe attempt                                   Alerts: 81
1:2381:18       SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt     Alerts: 42
128:4:1         (spp_ssh) Protocol mismatch                                      Alerts: 15534
1:1200:17       INDICATOR-COMPROMISE Invalid URL                                 Alerts: 19
1:542:20        POLICY-SOCIAL IRC nick change                                    Alerts: 9
120:8:1         (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE              Alerts: 2414
1:530:14        OS-WINDOWS NT NULL session                                       Alerts: 1
1:30342:1       SERVER-WEBAPP Cisco IOS HTTP server denial of service attempt     Alerts: 1
119:32:1        (http_inspect) SIMPLE REQUEST                                    Alerts: 62
1:832:24        SERVER-WEBAPP perl.exe access                                    Alerts: 2
1:2201:17       SERVER-WEBAPP Matt Wright download.cgi access                    Alerts: 1
1:1882:16       INDICATOR-COMPROMISE id check returned userid                    Alerts: 44
1:1149:24       SERVER-WEBAPP count.cgi access                                   Alerts: 37
1:553:13        POLICY-OTHER FTP anonymous login attempt                         Alerts: 127
1:24378:1       POLICY-OTHER TCP packet with urgent flag attempt                 Alerts: 21
1:1606:14       SERVER-WEBAPP icat access                                        Alerts: 1
1:21817:4       PROTOCOL-DNS excessive queries of type ANY - potential DoS       Alerts: 1608
1:973:24        SERVER-IIS *.idc attempt                                         Alerts: 1
119:19:1        (http_inspect) LONG HEADER                                       Alerts: 41
1:20094:7       INDICATOR-COMPROMISE IRC message on non-standard port            Alerts: 32
1:1767:13       SERVER-WEBAPP search.dll access                                  Alerts: 13
1:1026:22       SERVER-IIS perl-browse newline attempt                           Alerts: 1
1:8414:12       FILE-OFFICE Microsoft Office GIF image descriptor memory corruption attempt     Alerts: 39
1:1013:21       SERVER-IIS fpcount access                                        Alerts: 11
120:3:1         (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE     Alerts: 3657
1:3441:9        PROTOCOL-FTP PORT bounce attempt                                 Alerts: 2
1:1560:14       SERVER-WEBAPP /doc/ access                                       Alerts: 30
125:8:1         (ftp_telnet) FTP bounce attempt                                  Alerts: 2
1:16642:7       POLICY-OTHER file URI scheme attempt                             Alerts: 5
1:366:10        PROTOCOL-ICMP PING *NIX                                          Alerts: 30
1:20258:9       OS-WINDOWS Microsoft Forefront UAG javascript handler in URI XSS attempt     Alerts: 3
1:1411:18       PROTOCOL-SNMP public access udp                                  Alerts: 1320
1:1078:19       SQL counter.exe access                                           Alerts: 1
1:13949:12      PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers     Alerts: 980 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140813/febcc4d0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alert_config.zip
Type: application/zip
Size: 210503 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140813/febcc4d0/attachment.zip>


More information about the Snort-users mailing list