Snort mailing list archives
Re: Signature Lookup Confusion
From: Josh Bitto <jbitto () onlineschool ca>
Date: Tue, 7 May 2013 11:51:05 -0700
I think my hang up on this is the way that I have it setup.... Pfsense/withsnort->to syslog server/with OSSEC monitoring logs. I think what it is doing is reading the log content and seeing Trojan and then alerting based on it. So that's why I'm needing a reference guide for each rule/preprocessor...etc...so that I can look it up and say....oh this is ok or no I have a problem. -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, May 07, 2013 11:22 AM To: Jeremy Hoel Cc: Josh Bitto; snort-users () lists sourceforge net; waldo kitty Subject: Re: [Snort-users] Signature Lookup Confusion This was a User-Agent seen from the Gozi Trojan IIRC. Probably 3 years old or so now, not sure how much use it is to identify Gozi anymore. Although... On May 7, 2013, at 2:18 PM, Jeremy Hoel <jthoel () gmail com> wrote:
Don't panic! Grab your towel and it will all be ok. Anything with a SID of 1 will have a normal rule file.. so if you use the default pulledpork and have all your rules in one file, then grep snort.rules for 2010645 and you'll see alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; content:"Launcher"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Launcher/iH"; reference:url,doc.emergingthreats.net/2010645; classtype:trojan-activity; sid:2010645; rev:9;) Do you have the packet data for the tripped alert? Is the Launcher part of the user agent or maybe in a cookie or a refer? that kin of stuff really helps figure out if it's a FP or not. Also, since this is a ET rule, I don't think it would work on the snort rule search. On Tue, May 7, 2013 at 6:02 PM, Josh Bitto <jbitto () onlineschool ca> wrote:Thanks everyone! Yes it does help....No I haven't been able to go get my pop yet.....I'm kinda panicking at the moment about this 2013-05-07T10:38:26-07:00 firewall snort[62223]: [1:2010645:9] ET POLICY User-Agent (Launcher) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} I've tried to do a search to find the definition of it and see why this fired. I don't want to block something that might be a false positive. Although the above has no hint of being a false positive I want to act on this quickly. So I went here... http://www.snort.org/search/ put in the 2010645...nothing came up.....put in the 1....nothing came up. That's my hang up right now is doing a search for reference of what a sid/gid happens....I want to be able to search it up and see by definition what is going on. -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Tuesday, May 07, 2013 10:52 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Signature Lookup Confusion On 5/7/2013 13:24, Josh Bitto wrote:I'm having a bit of a problem fully grasping how to search up rules that have been fired..... 2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80 Ok so what I understand from the log is that rule 120 fired. Either I needno sir... rule identifiers are in GID:SID:rev format... only the GID:SID are really necessary... the above says Generator 120 fired its rule with SID 8... Generator 120 is http_inspect... its rule SID 8 is "INVALID CONTENT-LENGTH OR CHUNCK SIZE"... these are not "normal" rules like the *.rules files you download... these rules are built into the processor...some caffeine or it's a horrible Tuesday for me to comprehend this, but I'm just not getting it. The instructions on how to search for the group id and the sid for some reason are not sticking. Can someone dumb this down for me....I'm gonna run out and get a pop and hopefully come back to someone who has awesomely helped me out.does the above help?Basically I want to be able to search for explanations on whatever event happens so I can determine if I need to take action or not.this is where you might need to break out a pcap viewing tool like wireshark so you can look at the content of the network traffic that triggered the rule... snort should have saved a pcap for you and this particular entry will likely be inside a large pcap containing other saved traffic from other alerts... you use the timestamp to determine the proper packet to look at and then work it from there... FWIW: i've someone who is a client on a large Canadian cable network and they are getting hit by tons of these... we haven't yet determined why, though... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. --------------------------------------------------------------------- --------- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! --------------------------------------------------------------------- --------- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!---------------------------------------------------------------------- -------- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Signature Lookup Confusion Josh Bitto (May 07)
- Re: Signature Lookup Confusion Jeremy Hoel (May 07)
- Re: Signature Lookup Confusion Jeremy Hoel (May 07)
- Re: Signature Lookup Confusion beenph (May 07)
- Re: Signature Lookup Confusion Ian Bowers (May 07)
- Re: Signature Lookup Confusion Ian Bowers (May 07)
- Re: Signature Lookup Confusion waldo kitty (May 07)
- Re: Signature Lookup Confusion Josh Bitto (May 07)
- Re: Signature Lookup Confusion Jeremy Hoel (May 07)
- Re: Signature Lookup Confusion Joel Esler (May 07)
- Re: Signature Lookup Confusion Josh Bitto (May 07)
- Re: Signature Lookup Confusion Josh Bitto (May 08)
- Re: Signature Lookup Confusion Joel Esler (May 08)
- Re: Signature Lookup Confusion Josh Bitto (May 07)
- Re: Signature Lookup Confusion Jeremy Hoel (May 07)