Re: Fwd: Snort catching backup as alert?

[waldo kitty <wkitty42 () windstream net>]

On 8/19/2013 11:32, William Rehnquyst wrote:
> The other day my Snort alerted that it had detected shellcode, and the payload
> information looks just like a snort rule. It seems to be going from my snort
> server to the backup server. Does that just mean while backup is happening,
> Snort is detecting shellcode it's looking for in the rule file itself?

probably... but it also means that everything else in the rule has to match the 
traffic, too...

> I would think if that's the case then every single rule in the rule file would
> be triggered, because everything it's looking for is in there and it's being
> transmitted. Were these shellcode detections just a fluke then?

simple rules may catch this whereas those using pcre may or may not depending on 
the rules' possible content matches it is looking for...

i'm going to trim the following a bit so as to make it easier to follow and to 
also give only the SID which is really all that's needed... if the GID is not 1, 
then it is also needed but in this case, all of your rules are GID:1 (textual 
rules)...

> Below is the payload it captured, which triggered the alert:
1.
> sid:17340; rev:3;)

is looking on any port for a simple content only match... yes, this one is 
likely firing because of seeing that exact string... i note also that the rule 
is looking for traffic from $EXTERNAL_NET to $HOME_NET and that brings up a few 
questions:

  1. is your backup server external to your network?
  2. is this detection happening when your backup server is sending
     the traffic to a machine in your home net during a restore?

> sid:17341; rev:2;)

this rule has three content matches but they are hex coded so not straight 
strings in the content matches... no idea if this rule is triggering on seeing 
itself...

> sid:17342; rev:2;)

this one is similar to 17341 in that its match is hex coded content...

> sid:17343; rev:2;)

the same with this one...

> alert ip $EXTERNAL_NET any ->  $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic xor

the SID was left out on this one so i don't know what rule it is...

> ps. On a side note, pardon my newbie-ness, how does screenshots and
> attachment work on a mailing list like this? I'm not sure whether
> they work or not because I never see them in the archive onseclists.org?

it is best to just copy'n'paste the information into a post rather than trying 
to do screenshots... mainly because graphics are larger than the data you are 
trying to show... as for them not appearing on seclists, that may be because 
seclists doesn't allow them and so strips them out...

as a general rules, each mailing list is different... some do not allow 
attachments at all... others allow any attachments up to a certain size... then 
some restrict the type of attachments and may also apply size restrictions to 
them... these details should be available in the rules for the list which 
everyone should read before joining the list... as for other systems that import 
the list and make it available in another format, they have their own rules... 
as long as posts made on them that get transferred back to the list conform with 
the list's rules, there are no problems...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!