Snort mailing list archives

Previous By Date Next
Previous By Thread Next

What wins? TCP headers or packet contents?

From: John Sage <jsage () finchhaven com>
Date: Tue, 10 Sep 2002 22:09:40 -0700
Let me bring the question up to the top:


So the question for the snort list is:



What wins:



TCP header stuff: i.e. the destination port,



or,



Packet contents stuff: i.e. a hex series within the payload of a
packet, but with no match on destination port?


<snip>


Executive summary:

Twice (once real-time, once on replay against a binary log file) I
have packets matching an rpc.rules by content (a hex sequence) but not
by the destination port stated in the rule.

- John


----- Forwarded message from John Sage <jsage () finchhaven com> -----

Date: Tue, 10 Sep 2002 22:01:55 -0700
From: John Sage <jsage () finchhaven com>
To: "Smith, Donald " <Donald.Smith () foo bar>
Subject: Re: [LOGS] 09/06-09/02 - 72 hour ACID summary
User-Agent: Mutt/1.2.5i


Donald:

On Tue, Sep 10, 2002 at 09:12:08PM -0600, Smith, Donald  wrote:

Ok what version of snort and what rules?
This is wrong very wrong, if its fixed 
I dont care. If its still broke it needs to be
fixed:-)
Thanks


Various spec's:

[toot@sparky /storage/snort/old_snorts/090802]# snort -V

-*> Snort! <*-
Version 1.8.7 (Build 128)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
[root@sparky /storage/snort/old_snorts/090802]# 


[toot@sparky /usr/local/snort-rules]# grep /usr/local/snort-rules/rstat *

rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
sid:1278;  rev:3;)


[toot@sparky /usr/local/snort-rules]# more rpc.rules
# (C) Copyright 2001, Martin Roesch, Brian Caswell, et al.  All rights reserved.
# $Id: rpc.rules,v 1.21.2.9 2002/06/05 15:16:21 cazz Exp $
#----------
# RPC RULES
#----------
<snip>


[toot@sparky /]# tcpdump -V
tcpdump version 3.6
libpcap version 0.6
Usage: tcpdump [-adeflnNOpqStuvxX] [-c count] [ -F file ]
                [ -i interface ] [ -r file ] [ -s snaplen ]
                [ -T type ] [ -w file ] [ expression ]

which is identical to my firewall box...


Check out what happens when I replay the binary snort log for that
time period against my snort187check script, which is identical to my
firewall snort configuration except that it runs against *all* rules:

Again, we get:

<snip>
[**] [1:1278:3] RPC rstatd query [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/08/02-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
[Xref => http://www.whitehats.com/info/IDS9]
<snip>

which is this packet, by timestamp, and which I am certain is a
portion of a gzipped file:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
0x0000: 45 00 05 DC FA ED 40 00 31 06 4A BA 3F 64 2F 2D  E.....@.1.J.?d/-
0x0010: 0C 52 83 91 00 50 F8 0A E9 A9 91 72 E9 92 6F EA  .R...P.....r..o.
0x0020: 80 10 19 20 DD C3 00 00 01 01 08 0A 5C D1 7E 26  ... ........\.~&
0x0030: 19 7D 82 86 

                    5F 46 36 63 49 66 61 57 3A 68 32 61  .}.._F6cIfaW:h2a
0x0040: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 41 36  F|c7mHcIf2_.i@A6
0x0050: 75 3A 49 68 5F 46 36 63 49 66 61 57 3A 68 32 61  u:Ih_F6cIfaW:h2a
0x0060: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 48 7D  F|c7mHcIf2_.i@H}
0x0070: 38 6A 79 38 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D  8jy8YjV(.Bzu::dm
0x0080: 49 68 64 3B 20 57 53 53 5F 47 57 3D 56 31 41 6C  Ihd; WSS_GW=V1Al
0x0090: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
0x00A0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
0x00B0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
0x00C0: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
0x00D0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
0x00E0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
0x00F0: 51 41 6C 51 7A 25 72 42 51 25 5E 25 72 40 69 3B  QAlQz%rBQ%^%r@i;
0x0100: 20 43 54 47 3D 31 30 32 35 31 39 31 39 31 39 0D   CTG=1025191919.
0x0110: 0A 0D 47 3D 1B 3D 58 0D 02 00 9A 05 00 00 9A 05  ..G=.=X.........
0x0120: 00 00 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00  .......3....&...
0x0130: 45 00 05 8C EB 04 40 00 73 06 FC 52 CC 11 72 09  E.....@.s..R..r.
0x0140: 2E 05 B4 FA 00 50 F9 C1 B3 D2 78 9D 00 01 65 80  .....P....x...e.
0x0150: 50 10 40 B0 46 75 00 00 86 A2 00 00 00 02 00 00  P.@.Fu..........
0x0160: 00 00 00 00 00 01 00 00 00 96 00 00 00 00 00 00  ................
0x0170: 00 96 00 00 00 40 00 00 00 00 00 00 00 00 00 00  .....@..........
0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0190: 00 00 00 00 00 00 00 00 00 00 02 00 01 86 A1 00  ................
                 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
<snip>

The offset seems different, but only because we have IP and TCP
headers, above.

Original post:



09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
5F 46 36 63 49 66 61 57 3A 68 32 61 46 7C 63 37  _F6cIfaW:h2aF|c7
6D 48 63 49 66 32 5F 2E 69 40 41 36 75 3A 49 68  mHcIf2_.i@A6u:Ih
5F 46 36 63 49 66 61 57 3A 68 32 61 46 7C 63 37  _F6cIfaW:h2aF|c7
6D 48 63 49 66 32 5F 2E 69 40 48 7D 38 6A 79 38  mHcIf2_.i@H}8jy8
59 6A 56 28 2E 42 7A 75 3A 3A 64 6D 49 68 64 3B  YjV(.Bzu::dmIhd;
20 57 53 53 5F 47 57 3D 56 31 41 6C 51 41 6C 51   WSS_GW=V1AlQAlQ
41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
7A 25 72 42 51 25 5E 25 72 40 69 3B 20 43 54 47  z%rBQ%^%r@i; CTG
3D 31 30 32 35 31 39 31 39 31 39 0D 0A 0D 47 3D  =1025191919...G=
1B 3D 58 0D 02 00 9A 05 00 00 9A 05 00 00 00 00  .=X.............
0C 04 B2 33 00 03 E3 D9 26 C0 08 00 45 00 05 8C  ...3....&...E...
EB 04 40 00 73 06 FC 52 CC 11 72 09 2E 05 B4 FA  ..@.s..R..r.....
00 50 F9 C1 B3 D2 78 9D 00 01 65 80 50 10 40 B0  .P....x...e.P.@.
46 75 00 00 86 A2 00 00 00 02 00 00 00 00 00 00  Fu..............
00 01 00 00 00 96 00 00 00 00 00 00 00 96 00 00  ................
00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00  .@..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 02 00 01 86 A1 00 00 00 02 00  ................
^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
<snip>


So the question for the snort list is:

What wins:

TCP header stuff: i.e. the destination port,

or,

Packet contents stuff: i.e. a hex series within the payload of a
packet, but with no match on destination port?


heh..

I hate it when this happens.


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

----- End forwarded message -----


-------------------------------------------------------
In remembrance
www.osdn.com/911/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: