Snort mailing list archives
Re: Experimenting with TAG, question
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 14 Oct 2002 09:31:44 -0400
Looks like the tag rule captured those packets due to the 2nd packet setting the tag.
-Marty On Sunday, October 13, 2002, at 10:23 PM, Rich Adamson wrote:
I've been experimenting with the TAG option as shown in the following rule:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, OpenSSL worm probe"; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; tag:host,4,packets,src; offset:0; depth:18; classtype:web-application-activity; sid:1881; rev:1;)The log entries below are the first that I've had that appear to be theresult of the tag option. It would appear the above rule logged the second entry in the log file entries shown below, but not sure if the TAG optionactually created the next three packets (3rd, 4th, & 5th). Can anyone comment? << Log entry for port 80 associated with above rule >>10/13-06:11:15.757162 0:5:5E:2E:27:8D -> 0:A0:CC:5D:91:E0 type:0x800 len:0x42 218.63.92.11:4876 -> a.b.c.d:80 TCP TTL:47 TOS:0x0 ID:56140 IpLen:20 DgmLen:52 DF***A**** Seq: 0x414F0097 Ack: 0x356DFE1A Win: 0x16B0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 45669448 6810813380x0000: 00 A0 CC 5D 91 E0 00 05 5E 2E 27 8D 08 00 45 00 ...]....^.'...E. 0x0010: 00 34 DB 4C 40 00 2F 06 AA 04 DA 3F 5C 0B CE DE .4.L@./....?\... 0x0020: C1 49 13 0C 00 50 41 4F 00 97 35 6D FE 1A 80 10 .I...PAO..5m.... 0x0030: 16 B0 8F 3C 00 00 01 01 08 0A 02 B8 DC 48 28 98 ...<.........H(.0x0040: 79 FA y.=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+[**] EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack [**] 10/13-06:11:15.764518 0:5:5E:2E:27:8D -> 0:A0:CC:5D:91:E0 type:0x800 len:0x54 218.63.92.11:4876 -> a.b.c.d:80 TCP TTL:47 TOS:0x0 ID:56141 IpLen:20 DgmLen:70 DF***AP*** Seq: 0x414F0097 Ack: 0x356DFE1A Win: 0x16B0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 45669448 6810813380x0000: 00 A0 CC 5D 91 E0 00 05 5E 2E 27 8D 08 00 45 00 ...]....^.'...E. 0x0010: 00 46 DB 4D 40 00 2F 06 A9 F1 DA 3F 5C 0B CE DE .F.M@./....?\... 0x0020: C1 49 13 0C 00 50 41 4F 00 97 35 6D FE 1A 80 18 .I...PAO..5m.... 0x0030: 16 B0 B0 81 00 00 01 01 08 0A 02 B8 DC 48 28 98 .............H(. 0x0040: 79 FA 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 y.GET / HTTP/1.10x0050: 0D 0A 0D 0A ....=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+10/13-06:11:15.764737 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x42 a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10377 IpLen:20 DgmLen:52 DF***A**** Seq: 0x356DFE1A Ack: 0x414F00A9 Win: 0x7EDC TcpLen: 32 TCP Options (3) => NOP NOP TS: 681081442 456694480x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00 ..^.'....]....E. 0x0010: 00 34 28 89 40 00 40 06 4B C8 CE DE C1 49 DA 3F .4(.@.@.K....I.? 0x0020: 5C 0B 00 50 13 0C 35 6D FE 1A 41 4F 00 A9 80 10 \..P..5m..AO.... 0x0030: 7E DC 26 96 00 00 01 01 08 0A 28 98 7A 62 02 B8 ~.&.......(.zb..0x0040: DC 48 .H=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+10/13-06:11:15.766141 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x29D a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10378 IpLen:20 DgmLen:655 DF***AP*** Seq: 0x356DFE1A Ack: 0x414F00A9 Win: 0x7EDC TcpLen: 32 TCP Options (3) => NOP NOP TS: 681081442 456694480x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00 ..^.'....]....E. 0x0010: 02 8F 28 8A 40 00 40 06 49 6C CE DE C1 49 DA 3F ..(.@.@.Il...I.? 0x0020: 5C 0B 00 50 13 0C 35 6D FE 1A 41 4F 00 A9 80 18 \..P..5m..AO.... 0x0030: 7E DC 49 26 00 00 01 01 08 0A 28 98 7A 62 02 B8 ~.I&......(.zb.. 0x0040: DC 48 48 54 54 50 2F 31 2E 31 20 34 30 30 20 42 .HHTTP/1.1 400 B 0x0050: 61 64 20 52 65 71 75 65 73 74 0D 0A 44 61 74 65 ad Request..Date 0x0060: 3A 20 53 75 6E 2C 20 31 33 20 4F 63 74 20 32 30 : Sun, 13 Oct 20 0x0070: 30 32 20 31 31 3A 31 32 3A 32 37 20 47 4D 54 0D 02 11:12:27 GMT. 0x0080: 0A 53 65 72 76 65 72 3A 20 41 70 61 63 68 65 2F .Server: Apache/ 0x0090: 31 2E 33 2E 31 34 20 28 55 6E 69 78 29 20 20 28 1.3.14 (Unix) ( 0x00A0: 52 65 64 2D 48 61 74 2F 4C 69 6E 75 78 29 20 50 Red-Hat/Linux) P 0x00B0: 48 50 2F 33 2E 30 2E 31 37 20 6D 6F 64 5F 70 65 HP/3.0.17 mod_pe 0x00C0: 72 6C 2F 31 2E 32 33 0D 0A 43 6F 6E 6E 65 63 74 rl/1.23..Connect 0x00D0: 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 54 72 61 6E ion: close..Tran 0x00E0: 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 63 sfer-Encoding: c 0x00F0: 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E 74 2D hunked..Content- 0x0100: 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 3B Type: text/html; 0x0110: 20 63 68 61 72 73 65 74 3D 69 73 6F 2D 38 38 35 charset=iso-885 0x0120: 39 2D 31 0D 0A 0D 0A 31 36 61 0D 0A 3C 21 44 4F 9-1....16a..<!DO 0x0130: 43 54 59 50 45 20 48 54 4D 4C 20 50 55 42 4C 49 CTYPE HTML PUBLI 0x0140: 43 20 22 2D 2F 2F 49 45 54 46 2F 2F 44 54 44 20 C "-//IETF//DTD 0x0150: 48 54 4D 4C 20 32 2E 30 2F 2F 45 4E 22 3E 0A 3C HTML 2.0//EN">.< 0x0160: 48 54 4D 4C 3E 3C 48 45 41 44 3E 0A 3C 54 49 54 HTML><HEAD>.<TIT 0x0170: 4C 45 3E 34 30 30 20 42 61 64 20 52 65 71 75 65 LE>400 Bad Reque 0x0180: 73 74 3C 2F 54 49 54 4C 45 3E 0A 3C 2F 48 45 41 st</TITLE>.</HEA 0x0190: 44 3E 3C 42 4F 44 59 3E 0A 3C 48 31 3E 42 61 64 D><BODY>.<H1>Bad 0x01A0: 20 52 65 71 75 65 73 74 3C 2F 48 31 3E 0A 59 6F Request</H1>.Yo 0x01B0: 75 72 20 62 72 6F 77 73 65 72 20 73 65 6E 74 20 ur browser sent 0x01C0: 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 a request that t 0x01D0: 68 69 73 20 73 65 72 76 65 72 20 63 6F 75 6C 64 his server could 0x01E0: 20 6E 6F 74 20 75 6E 64 65 72 73 74 61 6E 64 2E not understand. 0x01F0: 3C 50 3E 0A 63 6C 69 65 6E 74 20 73 65 6E 74 20 <P>.client sent 0x0200: 48 54 54 50 2F 31 2E 31 20 72 65 71 75 65 73 74 HTTP/1.1 request 0x0210: 20 77 69 74 68 6F 75 74 20 68 6F 73 74 6E 61 6D without hostnam 0x0220: 65 20 28 73 65 65 20 52 46 43 32 30 36 38 20 73 e (see RFC2068 s 0x0230: 65 63 74 69 6F 6E 20 39 2C 20 61 6E 64 20 31 34 ection 9, and 14 0x0240: 2E 32 33 29 3A 20 2F 3C 50 3E 0A 3C 48 52 3E 0A .23): /<P>.<HR>. 0x0250: 3C 41 44 44 52 45 53 53 3E 41 70 61 63 68 65 2F <ADDRESS>Apache/ 0x0260: 31 2E 33 2E 31 34 20 53 65 72 76 65 72 20 61 74 1.3.14 Server at 0x0270: 20 77 77 77 20 50 6F 72 74 20 38 30 3C 2F 41 44 www Port 80</AD 0x0280: 44 52 45 53 53 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F DRESS>.</BODY></0x0290: 48 54 4D 4C 3E 0A 0D 0A 30 0D 0A 0D 0A HTML>...0....=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+10/13-06:11:15.769260 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x42 a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10381 IpLen:20 DgmLen:52 DF***A***F Seq: 0x356E0075 Ack: 0x414F00A9 Win: 0x7EDC TcpLen: 32 TCP Options (3) => NOP NOP TS: 681081443 456694480x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00 ..^.'....]....E. 0x0010: 00 34 28 8D 40 00 40 06 4B C4 CE DE C1 49 DA 3F .4(.@.@.K....I.? 0x0020: 5C 0B 00 50 13 0C 35 6E 00 75 41 4F 00 A9 80 11 \..P..5n.uAO.... 0x0030: 7E DC 24 39 00 00 01 01 08 0A 28 98 7A 63 02 B8 ~.$9......(.zc..0x0040: DC 48 .H=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Experimenting with TAG, question Rich Adamson (Oct 13)
- Re: Experimenting with TAG, question Martin Roesch (Oct 14)