Snort mailing list archives
Re: Newbie: Bot Detection Rule
From: Bob Van Cleef <vancleef () microunity com>
Date: Mon, 2 Jul 2001 12:02:58 -0700 (PDT)
I was finally able to connect to http://212.30.210.6:6667 an got the following: ERROR :Closing Link: [unknown () 192 86 6 xxx] (Ping timeout) Hmmm On Mon, 2 Jul 2001, Bob Van Cleef wrote:
On Fri, 22 Jun 2001, Vitaly Osipov wrote:and regarding rules - i never understood what's the use of logging all packets going to unusual ports etc. So let's say, I've received a UDP packet to port 666 - what am I supposed to do? Complain? (ever heard about spoofing - especially if it's UDP?). That's why i like snort DB logging - the only thing I can do is to log all that garbage to a database to dig it sometimes if something really nasty starts...Especially when you are not sure what they are telling you, once they do generate an alarm. For example, see below: The source system is a proxy server, running the old Firewalls Tool Kit. About the only thing it forwards is HTML proxy requests... so I have no clue, looking at this alert, as to why it would generate a connection request to 212.30.210.6:6667 However, the proxy server did have these two log entries. adsl2-6.simnet.is - - [01/Jul/2001:16:55:06 -0700] "CONNECT 212.30.210.6:6667 HTTP/1.0" 503 265 adsl2-6.simnet.is - - [01/Jul/2001:16:57:25 -0700] "POST http://212.30.210.6:6667/some.cgi HTTP/1.0" 200 58 Interesting.... but not very informative. Bob [**] IRC Bot Connection [**] 07/01-16:55:19.091810 192.86.6.23:2893 -> 212.30.210.6:6667 TCP TTL:60 TOS:0x0 ID:12232 IpLen:20 DgmLen:40 ******S* Seq: 0x296B8400 Ack: 0x0 Win: 0x1000 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IRC Bot Connection [**] 07/01-16:55:19.267947 192.86.6.23:2893 -> 212.30.210.6:6667 TCP TTL:60 TOS:0x0 ID:12234 IpLen:20 DgmLen:40 ***A**** Seq: 0x296B8401 Ack: 0x3DC6A253 Win: 0x1000 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IRC Bot Connection [**] 07/01-16:55:19.269021 192.86.6.23:2893 -> 212.30.210.6:6667 TCP TTL:60 TOS:0x0 ID:12235 IpLen:20 DgmLen:92 ***AP*** Seq: 0x296B8401 Ack: 0x3DC6A253 Win: 0x1000 TcpLen: 20 50 4F 53 54 20 2F 73 6F 6D 65 2E 63 67 69 20 48 POST /some.cgi H 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 32 TTP/1.0..Host: 2 31 32 2E 33 30 2E 32 31 30 2E 36 3A 36 36 36 37 12.30.210.6:6667 0D 0A 0D 0A .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IRC Bot Connection [**] 07/01-16:57:25.462115 192.86.6.23:2893 -> 212.30.210.6:6667 TCP TTL:60 TOS:0x0 ID:14539 IpLen:20 DgmLen:40 ***A**** Seq: 0x296B8435 Ack: 0x3DC6A28F Win: 0x1000 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IRC Bot Connection [**] 07/01-16:57:25.745070 192.86.6.23:2893 -> 212.30.210.6:6667 TCP TTL:60 TOS:0x0 ID:14541 IpLen:20 DgmLen:40 ***A***F Seq: 0x296B8435 Ack: 0x3DC6A28F Win: 0x1000 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
--
<> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><>
Bob Van Cleef, Member of Technical Staff (408) 734-8100 MicroUnity Systems Engineering, Inc. FAX (408) 734-8136 376 Martin Ave., Santa Clara, CA 95050 vancleef () microunity com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Newbie: Bot Detection Rule Bob Van Cleef (Jul 02)
- Re: Newbie: Bot Detection Rule Bob Van Cleef (Jul 02)