Snort mailing list archives
Re: Snort rule triggered an alert, but why?
From: Chris Green <cmg () sourcefire com>
Date: Thu, 05 Dec 2002 11:26:48 -0500
C.Prickaerts () UB unimaas nl writes:
Hi group, I'm doing some Snort analysis and found a packet that triggered a rule, but can't find out why:
This looks like a bug with double alerting after a successful attack which was fixed in 1.9 CVS a bit ago. Soon, 1.9.1 should be coming out but feel free to upgrade to the head of the SNORT_1_9 branch. Cheers, Chris
The rule: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 inc ebx NOOP"; content:"|43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43|"; classtype:shellcode-detect; sid:1390; rev:3;) The Alert: [**] SHELLCODE x86 inc ebx NOOP [**] 12/05-09:12:11.101861 attacker:80 -> myhost:29090 TCP TTL:51 TOS:0x0 ID:62013 IpLen:20 DgmLen:1491 DF ***AP*** Seq: 0x370C8E71 Ack: 0x171E3 Win: 0x422E TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The Packet 09:12:11.101861 attacker.80 > myhost.29090: P 81915:83366(1451) ack 4487 win 16942 (DF) (ttl 51, id 62013, len 1491) 0x0000 4500 05d3 f23d 4000 3306 f981 cf2e 1c64 E....=@.3......d 0x0010 8978 e15a 0050 71a2 370c 8e71 0001 71e3 .x.Z.Pq.7..q..q. 0x0020 5018 422e 5efd 0000 4854 5450 2f31 2e31 P.B.^...HTTP/1.1 0x0030 2032 3030 204f 4b0d 0a53 6572 7665 723a .200.OK..Server: 0x0040 204d 6963 726f 736f 6674 2d49 4953 2f35 .Microsoft-IIS/5 0x0050 2e30 .0 And few minutes later: [**] SHELLCODE x86 inc ebx NOOP [**] 12/05-09:17:00.251861 attacker:80 -> myhost:29185 TCP TTL:51 TOS:0x0 ID:17396 IpLen:20 DgmLen:1491 DF ***AP*** Seq: 0x6F3476D4 Ack: 0x5F67A Win: 0x41E0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The packet 09:17:00.251861 attacker.80 > myhost.29185: p 1:1452(1451) ack 657 win 16864 (df) (ttl 51, id 17396, len 1491) 0x0000 4500 05d3 43f4 4000 3306 a7cb cf2e 1c64 e...c.@.3......d 0x0010 8978 e15a 0050 7201 6f34 76d4 0005 f67a .x.z.pr.o4v....z 0x0020 5018 41e0 b7c1 0000 4854 5450 2f31 2e31 p.a.....http/1.1 0x0030 2032 3030 204f 4b0d 0a53 6572 7665 723a .200.ok..server: 0x0040 204d 6963 726f 736f 6674 2d49 4953 2f35 .microsoft-iis/5 0x0050 2e30 .0 This traffic is part of ongoing HTTP traffic. Only thing I can see is that the packets look very similar. Question is, why did snort call the Alert? What am I overlooking? Greets, Chris ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Chris Green <cmg () sourcefire com> "Not everyone holds these truths to be self-evident, so we've worked up a proof of them as Appendix A." -- Paul Prescod ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule triggered an alert, but why? C . Prickaerts (Dec 05)
- Re: Snort rule triggered an alert, but why? Chris Green (Dec 05)
- <Possible follow-ups>
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 05)
- Re: Snort rule triggered an alert, but why? Chris Green (Dec 05)
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 06)
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 08)