Snort mailing list archives
Re: Curious "Tagged Packet" alerts in ACID
From: Frank Knobbe <frank () knobbe us>
Date: Sat, 01 Jan 2005 18:06:45 -0600
On Fri, 2004-12-31 at 20:44 -0500, Jeff Kell wrote:
I am getting a rather high (top 5) number of alerts showing up in ACID displaying as simply "Tagged Packet" and having an sid=1, e.g.:
Heya Jeff, as others have already explained the cause/concept of tagged packets, all I can add is the rule that created all this. bleeding-attack-responses.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"IRC - Private message on non-std port"; content:"PRIVMSG "; nocase; offset:0; depth:8; dsize:<128; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000347; rev:3;) I get those routinely, and depending on the clients needs/policies either inform them or monitor the traffic for a while. IRC communication on non-standard IRC ports typically occurs through use of web-based/java-based chat clients that use IRC on the back-end. Some sites have IRC servers running on non-standard ports to avoid detection/use of normal IRC clients (the java piece is hard coded to use that custom port). Another reason is that they attempt to bypass firewall restrictions. I see a lot of web-based IRC chat traffic on port 443.... not for https, but just plain-text IRC traffic on port 443 since that is open withouth a proxy on a lot of firewalls. Hope that helps. Happy New Year! Frank PS: Correlation of the tagged packets is an exercise left to the front-end operator, but can usually be done by matching IP src/dst and ports. There are other, more convenient ways to retrieve this session data, but most (perhaps with exception of sguil) rely on custom alert/log forward methods (which is what I use).
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Curious "Tagged Packet" alerts in ACID Jeff Kell (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Joe Patterson (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Eric Hines (Jan 01)
- Re: Curious "Tagged Packet" alerts in ACID Frank Knobbe (Jan 01)