Snort mailing list archives

Experimenting with TAG, question


From: Rich Adamson <radamson () routers com>
Date: Sun, 13 Oct 2002 20:23:04 -0600

I've been experimenting with the TAG option as shown in the following rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 
request, OpenSSL worm probe"; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; tag:host,4,packets,src;  
offset:0; depth:18; classtype:web-application-activity; sid:1881; rev:1;)

The log entries below are the first that I've had that appear to be the
result of the tag option. It would appear the above rule logged the second 
entry in the log file entries shown below, but not sure if the TAG option 
actually created the next three packets (3rd, 4th, & 5th). 

Can anyone comment?


<< Log entry for port 80 associated with above rule >>

10/13-06:11:15.757162 0:5:5E:2E:27:8D -> 0:A0:CC:5D:91:E0 type:0x800 len:0x42
218.63.92.11:4876 -> a.b.c.d:80 TCP TTL:47 TOS:0x0 ID:56140 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x414F0097  Ack: 0x356DFE1A  Win: 0x16B0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 45669448 681081338 
0x0000: 00 A0 CC 5D 91 E0 00 05 5E 2E 27 8D 08 00 45 00  ...]....^.'...E.
0x0010: 00 34 DB 4C 40 00 2F 06 AA 04 DA 3F 5C 0B CE DE  .4.L@./....?\...
0x0020: C1 49 13 0C 00 50 41 4F 00 97 35 6D FE 1A 80 10  .I...PAO..5m....
0x0030: 16 B0 8F 3C 00 00 01 01 08 0A 02 B8 DC 48 28 98  ...<.........H(.
0x0040: 79 FA                                            y.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack [**]
10/13-06:11:15.764518 0:5:5E:2E:27:8D -> 0:A0:CC:5D:91:E0 type:0x800 len:0x54
218.63.92.11:4876 -> a.b.c.d:80 TCP TTL:47 TOS:0x0 ID:56141 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x414F0097  Ack: 0x356DFE1A  Win: 0x16B0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 45669448 681081338 
0x0000: 00 A0 CC 5D 91 E0 00 05 5E 2E 27 8D 08 00 45 00  ...]....^.'...E.
0x0010: 00 46 DB 4D 40 00 2F 06 A9 F1 DA 3F 5C 0B CE DE  .F.M@./....?\...
0x0020: C1 49 13 0C 00 50 41 4F 00 97 35 6D FE 1A 80 18  .I...PAO..5m....
0x0030: 16 B0 B0 81 00 00 01 01 08 0A 02 B8 DC 48 28 98  .............H(.
0x0040: 79 FA 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31  y.GET / HTTP/1.1
0x0050: 0D 0A 0D 0A                                      ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/13-06:11:15.764737 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x42
a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10377 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x356DFE1A  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 681081442 45669448 
0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00  ..^.'....]....E.
0x0010: 00 34 28 89 40 00 40 06 4B C8 CE DE C1 49 DA 3F  .4(.@.@.K....I.?
0x0020: 5C 0B 00 50 13 0C 35 6D FE 1A 41 4F 00 A9 80 10  \..P..5m..AO....
0x0030: 7E DC 26 96 00 00 01 01 08 0A 28 98 7A 62 02 B8  ~.&.......(.zb..
0x0040: DC 48                                            .H

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/13-06:11:15.766141 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x29D
a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10378 IpLen:20 DgmLen:655 DF
***AP*** Seq: 0x356DFE1A  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 681081442 45669448 
0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00  ..^.'....]....E.
0x0010: 02 8F 28 8A 40 00 40 06 49 6C CE DE C1 49 DA 3F  ..(.@.@.Il...I.?
0x0020: 5C 0B 00 50 13 0C 35 6D FE 1A 41 4F 00 A9 80 18  \..P..5m..AO....
0x0030: 7E DC 49 26 00 00 01 01 08 0A 28 98 7A 62 02 B8  ~.I&......(.zb..
0x0040: DC 48 48 54 54 50 2F 31 2E 31 20 34 30 30 20 42  .HHTTP/1.1 400 B
0x0050: 61 64 20 52 65 71 75 65 73 74 0D 0A 44 61 74 65  ad Request..Date
0x0060: 3A 20 53 75 6E 2C 20 31 33 20 4F 63 74 20 32 30  : Sun, 13 Oct 20
0x0070: 30 32 20 31 31 3A 31 32 3A 32 37 20 47 4D 54 0D  02 11:12:27 GMT.
0x0080: 0A 53 65 72 76 65 72 3A 20 41 70 61 63 68 65 2F  .Server: Apache/
0x0090: 31 2E 33 2E 31 34 20 28 55 6E 69 78 29 20 20 28  1.3.14 (Unix)  (
0x00A0: 52 65 64 2D 48 61 74 2F 4C 69 6E 75 78 29 20 50  Red-Hat/Linux) P
0x00B0: 48 50 2F 33 2E 30 2E 31 37 20 6D 6F 64 5F 70 65  HP/3.0.17 mod_pe
0x00C0: 72 6C 2F 31 2E 32 33 0D 0A 43 6F 6E 6E 65 63 74  rl/1.23..Connect
0x00D0: 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 54 72 61 6E  ion: close..Tran
0x00E0: 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 63  sfer-Encoding: c
0x00F0: 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E 74 2D  hunked..Content-
0x0100: 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 3B  Type: text/html;
0x0110: 20 63 68 61 72 73 65 74 3D 69 73 6F 2D 38 38 35   charset=iso-885
0x0120: 39 2D 31 0D 0A 0D 0A 31 36 61 0D 0A 3C 21 44 4F  9-1....16a..<!DO
0x0130: 43 54 59 50 45 20 48 54 4D 4C 20 50 55 42 4C 49  CTYPE HTML PUBLI
0x0140: 43 20 22 2D 2F 2F 49 45 54 46 2F 2F 44 54 44 20  C "-//IETF//DTD 
0x0150: 48 54 4D 4C 20 32 2E 30 2F 2F 45 4E 22 3E 0A 3C  HTML 2.0//EN">.<
0x0160: 48 54 4D 4C 3E 3C 48 45 41 44 3E 0A 3C 54 49 54  HTML><HEAD>.<TIT
0x0170: 4C 45 3E 34 30 30 20 42 61 64 20 52 65 71 75 65  LE>400 Bad Reque
0x0180: 73 74 3C 2F 54 49 54 4C 45 3E 0A 3C 2F 48 45 41  st</TITLE>.</HEA
0x0190: 44 3E 3C 42 4F 44 59 3E 0A 3C 48 31 3E 42 61 64  D><BODY>.<H1>Bad
0x01A0: 20 52 65 71 75 65 73 74 3C 2F 48 31 3E 0A 59 6F   Request</H1>.Yo
0x01B0: 75 72 20 62 72 6F 77 73 65 72 20 73 65 6E 74 20  ur browser sent 
0x01C0: 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74  a request that t
0x01D0: 68 69 73 20 73 65 72 76 65 72 20 63 6F 75 6C 64  his server could
0x01E0: 20 6E 6F 74 20 75 6E 64 65 72 73 74 61 6E 64 2E   not understand.
0x01F0: 3C 50 3E 0A 63 6C 69 65 6E 74 20 73 65 6E 74 20  <P>.client sent 
0x0200: 48 54 54 50 2F 31 2E 31 20 72 65 71 75 65 73 74  HTTP/1.1 request
0x0210: 20 77 69 74 68 6F 75 74 20 68 6F 73 74 6E 61 6D   without hostnam
0x0220: 65 20 28 73 65 65 20 52 46 43 32 30 36 38 20 73  e (see RFC2068 s
0x0230: 65 63 74 69 6F 6E 20 39 2C 20 61 6E 64 20 31 34  ection 9, and 14
0x0240: 2E 32 33 29 3A 20 2F 3C 50 3E 0A 3C 48 52 3E 0A  .23): /<P>.<HR>.
0x0250: 3C 41 44 44 52 45 53 53 3E 41 70 61 63 68 65 2F  <ADDRESS>Apache/
0x0260: 31 2E 33 2E 31 34 20 53 65 72 76 65 72 20 61 74  1.3.14 Server at
0x0270: 20 77 77 77 20 50 6F 72 74 20 38 30 3C 2F 41 44   www Port 80</AD
0x0280: 44 52 45 53 53 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F  DRESS>.</BODY></
0x0290: 48 54 4D 4C 3E 0A 0D 0A 30 0D 0A 0D 0A           HTML>...0....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/13-06:11:15.769260 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x42
a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10381 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x356E0075  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 681081443 45669448 
0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00  ..^.'....]....E.
0x0010: 00 34 28 8D 40 00 40 06 4B C4 CE DE C1 49 DA 3F  .4(.@.@.K....I.?
0x0020: 5C 0B 00 50 13 0C 35 6E 00 75 41 4F 00 A9 80 11  \..P..5n.uAO....
0x0030: 7E DC 24 39 00 00 01 01 08 0A 28 98 7A 63 02 B8  ~.$9......(.zc..
0x0040: DC 48                                            .H

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: