Re: Curious "Tagged Packet" alerts in ACID

[Frank Knobbe <frank () knobbe us>]

On Fri, 2004-12-31 at 20:44 -0500, Jeff Kell wrote:
> I am getting a rather high (top 5) number of alerts showing up in ACID 
> displaying as simply "Tagged Packet" and having an sid=1, e.g.:

Heya Jeff,

as others have already explained the cause/concept of tagged packets,
all I can add is the rule that created all this.

bleeding-attack-responses.rules:alert tcp $HOME_NET any ->
$EXTERNAL_NET !6661:6668 (msg:"IRC - Private message on non-std port";
content:"PRIVMSG "; nocase; offset:0; depth:8; dsize:<128;
flow:to_server,established; tag:session,300,seconds;
classtype:trojan-activity; sid:2000347; rev:3;)

I get those routinely, and depending on the clients needs/policies
either inform them or monitor the traffic for a while. IRC communication
on non-standard IRC ports typically occurs through use of
web-based/java-based chat clients that use IRC on the back-end. Some
sites have IRC servers running on non-standard ports to avoid
detection/use of normal IRC clients (the java piece is hard coded to use
that custom port). Another reason is that they attempt to bypass
firewall restrictions. I see a lot of web-based IRC chat traffic on port
443.... not for https, but just plain-text IRC traffic on port 443 since
that is open withouth a proxy on a lot of firewalls.

Hope that helps. Happy New Year!
Frank


PS: Correlation of the tagged packets is an exercise left to the
front-end operator, but can usually be done by matching IP src/dst and
ports. There are other, more convenient ways to retrieve this session
data, but most (perhaps with exception of sguil) rely on custom
alert/log forward methods (which is what I use).

Attachment: signature.asc
Description: This is a digitally signed message part