Snort mailing list archives
Re: Can't suppress Tagged Packet
From: Rob Ward <rob.ward () liverpool ac uk>
Date: Fri, 26 May 2006 15:08:56 +0100
--On 26 May 2006 09:40 -0400 Joel Esler <joel.esler () sourcefire com> wrote:
Suppose you can copy and paste (take out the IP's) the alert you are getting? Joel
Strange - these aren't appearing in my sensors alert files only the database and seem to be related to the following alerts triggered by a Bleeding Snort Rule which DO appear in the alert file:
[**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on non-std port [**] [Classification: A Network Trojan was detected] [Priority: 1] 05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800 len:0x6A X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172 IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7 Ack: 0x769ADDBF Win: 0xFC00 TcpLen: 20
On investigation the majority of these are false positives but some can be linked to Botnets.
The corresponding Tagged Packet alert that's in the database is:
Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100 ------------------------------------------------------------------------- ----- # (6 - 221802) [2006-05-26 14:54:24] [snort/1] Tagged Packet IPv4: X.X.X.X -> 85.158.9.6 hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965 TCP: port=2353 -> dport: 8000 flags=***AP*** seq=514436775 ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007 Payload: length = 52 000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65 PRIVMSG #uk_live 010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A rpool_cruising : 020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F ANY1 WANNA CHAT? 030 : 3F 3F 0D 0A ??..
Thanks Rob Ward Network Northwest Support University of LiverpoolComputing Services Department
------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can't suppress Tagged Packet Rob Ward (May 26)
- Re: Can't suppress Tagged Packet Dirk Geschke (May 26)
- Re: Can't suppress Tagged Packet Rob Ward (May 26)
- Re: Can't suppress Tagged Packet Joel Esler (May 26)
- Re: Can't suppress Tagged Packet Rob Ward (May 26)
- Re: Can't suppress Tagged Packet Joel Esler (May 26)
- Re: Can't suppress Tagged Packet Bamm Visscher (May 26)
- Re: Can't suppress Tagged Packet Rob Ward (May 26)
- Re: Can't suppress Tagged Packet Rob Ward (May 26)
- Re: Can't suppress Tagged Packet Dirk Geschke (May 26)