Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can't suppress Tagged Packet

From: Rob Ward <rob.ward () liverpool ac uk>
Date: Fri, 26 May 2006 15:08:56 +0100
--On 26 May 2006 09:40 -0400 Joel Esler <joel.esler () sourcefire com> wrote:


Suppose you can copy and paste (take out the IP's) the alert you are
getting?

Joel
Strange - these aren't appearing in my sensors alert files only the database and seem to be related to the following alerts triggered by a Bleeding Snort Rule which DO appear in the alert file: 


[**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on
non-std port [**] [Classification: A Network Trojan was detected]
[Priority: 1]
05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800 len:0x6A
X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172
IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7  Ack: 0x769ADDBF  Win:
0xFC00  TcpLen: 20
On investigation the majority of these are false positives but some can be linked to Botnets. 

The corresponding Tagged Packet alert that's in the database is:


Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100

-------------------------------------------------------------------------
-----
# (6 - 221802) [2006-05-26 14:54:24] [snort/1]  Tagged Packet
IPv4: X.X.X.X -> 85.158.9.6
      hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965
TCP:  port=2353 -> dport: 8000  flags=***AP*** seq=514436775
      ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007
Payload:  length = 52

000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65   PRIVMSG #uk_live
010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A   rpool_cruising :
020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F   ANY1 WANNA CHAT?
030 : 3F 3F 0D 0A                                       ??..


Thanks

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department 

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: