Snort mailing list archives
odd problems with 2.3rc2
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Thu, 06 Jan 2005 12:26:52 +1300
HI Folks, Not sure if this should go here or in the developers list??? [russell@hihi snort]$ snort -V ,,_ -*> Snort! <*- o" )~ Version 2.3.0RC2 (Build 9) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2004 Sourcefire Inc, et al. Gotta luv that pig!! :) I've just installed RC2 and I have observed a couple of problems: 1. a few rules are triggering when there does not appear to be any reason. One rule is triggering often, for no apparent reason: META -------- SID CID TimeStamp Signature 9 8206 2005-01-05 14:08:18 BLEEDING-EDGE Malware Fun Web Products Agent Traffic Sig ID 2001034 Sensor Hostname Sensor Interface hihi.itss eth1 IP -------- Source Address Dest Address Ver Hdr Len 130.216.112.4 210.55.168.70 4 5 TOS length ID flags offset TTL chksum 0 448 37539 2 0 126 64313 Resolved Source ngarino.ellis.arth.auckland.ac.nz Resolved Dest www.nbnzi.com TCP -------- Source Port Dest Port Seq Ack 2034 80 1389116551 3695382261 Offset Reserved Flags Window Checksum Urgent Ptr 5 0 24 63496 55014 0 Options -------- None Flags -------- RB 1 RB 0 URG ACK PSH RST SYN FIN X X DATA -------- 474554202F696D616765 GET /image 732F686F6D652F6C6F67 s/home/log 6F2E6769662048545450 o.gif HTTP 2F312E310D0A41636365 /1.1..Acce 70743A202A2F2A0D0A52 pt: */*..R 6566657265723A206874 eferer: ht 74703A2F2F7777772E6E tp://www.n 6174696F6E616C62616E ationalban 6B2E636F2E6E7A0D0A41 k.co.nz..A 63636570742D4C616E67 ccept-Lang 756167653A20656E2D6E uage: en-n 7A0D0A4163636570742D z..Accept- 456E636F64696E673A20 Encoding: 677A69702C206465666C gzip, defl 6174650D0A49662D4D6F ate..If-Mo 6469666965642D53696E dified-Sin 63653A205361742C2030 ce: Sat, 0 35204F63742032303032 5 Oct 2002 2030353A33313A323220 05:31:22 474D540D0A49662D4E6F GMT..If-No 6E652D4D617463683A20 ne-Match: 22306231363937303330 "0b1697030 36636332313A34663566 6cc21:4f5f 220D0A557365722D4167 "..User-Ag 656E743A204D6F7A696C ent: Mozil 6C612F342E302028636F la/4.0 (co 6D70617469626C653B20 mpatible; 4D53494520362E303B20 MSIE 6.0; 57696E646F7773204E54 Windows NT 20352E31290D0A486F73 5.1)..Hos 743A207777772E6E6174 t: www.nat 696F6E616C62616E6B2E ionalbank. 636F2E6E7A0D0A436F6E co.nz..Con 6E656374696F6E3A204B nection: K 6565702D416C6976650D eep-Alive. 0A436F6F6B69653A2041 .Cookie: A 535053455353494F4E49 SPSESSIONI 4443514154444443533D DCQATDDCS= 4E4C4D484D4642424349 NLMHMFBBCI 43444C435049494E484A CDLCPIINHJ 44414E470D0A0D0A DANG.... DATA -------- GET /images/home/logo.gif HTTP/1.1..Accept: */*..Referer: ht tp://www.nationalbank.co.nz..Accept-Language: en-nz..Accept- Encoding: gzip, deflate..If-Modified-Since: Sat, 05 Oct 2002 05:31:22 GMT..If-None-Match: "0b16970306cc21:4f5f"..User-Ag ent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Hos t: www.nationalbank.co.nz..Connection: Keep-Alive..Cookie: A SPSESSIONIDCQATDDCS=NLMHMFBBCICDLCPIINHJDANG.... [russell@hihi snort]$ grep 2001034 Rules/rules/* Rules/rules/bleeding-malware.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; classtype:policy-violation; reference:url,www.funwebproducts.com; content:"FunWebProducts\;"; nocase; flow:to_server,established; threshold:type limit, track by_src, count 2, seconds 360; sid:2001034; rev:10;) Rules/rules/sid-msg.map:2001034 || BLEEDING-EDGE Malware Fun Web Products Agent Traffic || url,www.funwebproducts.com and secondly, many of these false alerts also generate tagged packets. I am also seeing tagged packets for other rules which don't have the tag option. ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- odd problems with 2.3rc2 Russell Fulton (Jan 05)
- <Possible follow-ups>
- odd problems with 2.3rc2 Russell Fulton (Jan 05)