Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Could someone test a rule for me please?

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 2 Jul 2014 17:59:43 +0000
Sorry, following up:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; 
content:"|13|BitTorrent protocol"; depth:20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;)

Does this work for you?

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team


On Jul 2, 2014, at 1:48 PM, Charlie Egan <chas5873 () gmail com> wrote:


Cheers for the reply Nathan,

http://oi57.tinypic.com/invq01.jpg

If you take a look at that image, that's the packet analysis from Wireshark. As you can see it says BitTorrent 
protocol.... .... 

In my rule the content is; content:"BitTorrent protocol|0000 0000|"

Could you explain to me a little bit better why it would give out loads of false positives, as doesn't what I have in 
the content mean it has to detect both BitTorrent Protocol and 0000 0000 in a row? Or will the |0000 0000| just give 
an alert for any instance of null characters regardless of the BitTorrent Protocol being infront of it (I'm guessing 
from the data you've just shown me that it will!)

Could you give me any suggestions on how I could refine the rule so no false positives are given out? How about if 
the content was just "BitTorrentProtocol00000000" ?

Cheers!



On Wed, Jul 2, 2014 at 6:32 PM, lists () packetmail net <lists () packetmail net> wrote:
On 07/02/2014 12:20 PM, Charlie Egan wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent handshake";
flow:to_server,established; content:"BitTorrent protocol|0000 0000|";
classtype:policy-violation; sid:1000006; rev:1;)


This is going to false positive like crazy, it's not unusual to see traffic
egress from TCP with four null characters in the payload and this is the only
anchor/content match in your signature.  It's also TCP and scoped any/any.  This
is going to end up being a "I'm going to map the network" signature :)

$ xxd Firefox_wallpaper.png |grep "0000 0000"
0000070: 2300 0000 0000 0000 00b0 1b4a a9e4 7663  #..........J..vc
00000d0: 0100 0000 0000 0000 a098 ab1b d0ce 3610  ..............6.
0000100: 2000 0300 0000 0000 0000 4015 1894 e7dc   .........@.....
0000130: 0000 0000 0080 0fe7 6c81 2f77 febb 1ad0  ........l./w....
0000160: 0000 0000 0000 0070 695a d74a 3b9a bbe4  .......piZ.J;...
0000190: 0000 0000 0000 00dc 822b 18d3 4ab8 9b60  .........+..J..`
00001b0: 01ee 4ba8 7d1e 39fe 4100 0600 0000 0000  ..K.}.9.A.......
00001e0: 6280 7bb0 66ec d33a e645 0006 0000 0000  b.{.f..:.E......
0000220: 8908 2d1c 0000 0000 0000 004e 85a9 5561  ..-........N..Ua
0000260: 0000 0000 2a21 7a12 0060 1fae 22fe d6a6  ....*!z..`.."...
00002a0: e2fc 46db 0338 9623 da1c 11c0 0000 0000  ..F..8.#........
00002d0: 0318 0000 0000 0000 0076 a7d6 a88f 3172  .........v....1r
0000300: b338 e299 6bcf c114 d000 0000 0000 0000  .8..k...........
0000330: eb20 0003 0000 0000 0000 4096 33c4 9823  . ........@.3..#
0000350: bac0 f029 50bf 0160 2f10 8001 0000 0000  ...)P..`/.......
0000380: 010c 0000 0000 0000 0059 ce36 ce6f 2534  .........Y.6.o%4
00003c0: 7001 f67a 1613 010c 0000 0000 0000 0049  p..z...........I
00003e0: 4c9f 0d00 0022 08c0 0000 0000 0000 00f0  L...."..........
0000410: 0000 0000 005c 0844 6078 1ad4 e76b 8150  .....\.D`x...k.P
0000450: 0300 0000 0000 0000 004f 620b 51b6 340d  .........Ob.Q.4.
0000470: 003e 0fb7 ef27 0218 0000 0000 0000 0020  .>...'.........
00004b0: 0000 0000 8441 2c38 9f90 f1de bd2f dc23  .....A,8...../.#
00004d0: 0500 0000 0000 0000 0b3e 4930 c85d 6b68  .........>I0.]kh
0000520: 7639 f04c 62fd e89a 36cb 14d0 0000 0000  v9.Lb...6.......
0000530: 0000 0000 2b38 dbf0 7987 e93c 437c 8a20  ....+8..y..<C|.
0000560: 1080 0100 0000 0000 00e0 f16c bdc6 9dfb  ...........l....
00005a0: bfe5 9c77 7544 03f8 4410 8001 0000 0000  ...wuD..D.......
00005e0: 0300 0000 0000 00dc 186b 98db d210 7794  .........k....w.
0000630: c000 0000 0000 0000 3765 4ba3 e6d1 06d2  ........7eK.....
0000670: 034f 82be 280d 0230 0000 0000 0000 c00d  .O..(..0........
00006c0: 0000 0000 0000 8fa7 d580 0af5 5c2d ea17  ............\-..
00006e0: 9ecf f044 1081 9728 11a1 4400 0000 0000  ...D...(..D.....
0000740: 1c00 0000 0000 0000 2e0d 8651 7802 c698  ...........Qx...
0000770: a7c0 14d0 0000 0000 0000 0037 e513 0d19  ...........7....
00007a0: 1c15 f97b 1588 0006 0000 0000 0000 b821  ...{...........!
00007d0: 0600 0000 0000 0000 b819 9f60 d0da 626d  ...........`..bm
0000810: 0000 0000 7033 3ed5 8801 cf25 2670 ec29  ....p3>....%&p.)
0000830: b6f5 7cae ee44 b527 08c0 0000 0000 0000  ..|..D.'........
0000870: f2e9 023f 0230 0000 0000 0000 c04d c020  ...?.0.......M.
00008b0: 0835 1a00 0000 0000 00e0 c2dc d930 7ae7  .5...........0z.
0000900: a677 463b 75cf a90f 3f3b 0000 0000 0000  .wF;u...?;......
0000930: 039e 0c53 4003 0000 0000 0000 5c14 0c4f  ...S@.......\..O
0000970: f7fa 8500 0c00 0000 0000 0070 41ee 6e70  ...........pA.np
00009b0: bbef 08c0 0000 0000 0000 0000 1721 6780  .............!g.
00009e0: e018 9ed8 6722 0003 0000 0000 0000 5c8c  ....g"........\.
0000a20: 393c fd5e 2300 0300 0000 0000 005c 88a7  9<.^#........\..
0000a50: 3f10 8001 0000 0000 0000 2ec2 dd45 3ab8  ?............E:.
0000a80: 0000 0000 0070 11ee 6a7c 0a45 99de f55a  .....p..j|.E...Z
0000ac0: 5c47 117d 66a6 0000 0000 0000 00e0 197c  \G.}f..........|
0000ae0: 00f3 e721 5340 0300 0000 0000 00c0 e620  ...!S@.........
0000b00: be06 00f6 c67d e6b9 7d0e 11c0 0000 0000  .....}..}.......
0000b10: 0000 0000 00f0 587c 21d0 358e 22ce 3c17  ......X|!.5.".<.
0000b20: 773a 4c00 0080 4f80 0860 0000 0000 0000  w:L...O..`......
0000b60: 0000 0000 0000 da59 6360 c628 0d00 7be1  .......Yc`.(..{.
0000b80: 3e79 1bfc f254 4a89 d61a 0118 0000 0000  >y...TJ.........
0000b90: 0000 0000 009e 832f f6c6 c45f 0ccf db90  ......./..._....
0000bc0: 0006 0000 0000 0000 8053 a835 fe20 d400  .........S.5. ..
0000be0: e2ef be28 a566 ff10 8001 0000 0000 0000  ...(.f..........
0000c40: 6362 f73d cbfe d3bb 9f1d 0000 0000 0000  cb.=............
0000c80: 24b7 0803 0000 0000 0000 00ec cedd 8d6b  $..............k
0000ce0: 0000 0000 0038 8bbb 1b25 d6e4 ffee d7fc  .....8...%......
0000d50: 6b3d 3ec7 baae 9b39 6d22 0003 0000 0000  k=>....9m"......
0000da0: 0000 0000 0090 00a3 7019 0871 f7a7 660d  ........p..q..f.
0000de0: 2700 0000 0000 0000 37e1 4883 d69d 8d67  '.......7.H....g
0000e90: d8f1 5b73 f53a c114 d000 0000 0000 0000  ..[s.:..........
0000ed0: 2908 c000 0000 0000 0000 3063 6be1 4d15  ).........0ck.M.
0000f30: 0100 0000 0000 0060 1703 f713 8ce6 e335  .......`.......5
0000f80: 0000 0000 0000 f008 72e2 db27 18e8 f7a2  ........r..'....
0000fe0: 0000 0000 00e0 51e0 7dbf 3d67 95e7 9d44  ......Q.}.=g...D
0001020: 33c2 1c0d 0230 0000 0000 0000 3c0e 0cc4  3....0......<...
0001080: 9ffa dc5d 0b02 3000 0000 0000 0000 8cb4  ...]..0.........
00010c0: 6bf2 0000 008f 66db 0579 0000 0000 0000  k.....f..y......
0001130: 8d08 6000 0000 0000 00b8 3577 31c0 ef4d  ..`.......5w1..M
0001170: f901 eb41 0006 0000 0000 0080 db92 9b36  ...A...........6
00011d0: f567 c11a b69b 3f03 0000 0000 0000 e040  .g....?........@
0001280: 5ce2 e609 2000 0300 0000 0000 c0ed c018  \... ...........
00012d0: 0000 0000 0070 2b10 61ea d9a2 cc6a 22b7  .....p+.a....j".
0001310: cec6 f683 bc43 6c0b 0230 0000 0000 0000  .....Cl..0......
0001360: 457a 0000 0000 0000 000e 07e3 6c1d f9f2  Ez..........l...
0001400: 0000 0000 2ec7 d9c6 7648 1b6c 42c6 93ac  ........vH.lB...
0001440: 7f46 0100 403d 08c0 0000 0000 0000 7029  .F..@=........p)
0001490: ed08 c000 0000 0000 00b0 3bb1 481b 8cee  ..........;.H...
00014d0: 0d21 0003 0000 0000 00c0 ae84 0c9f 8845  .!.............E
0001530: 0000 0000 6037 4291 a29f ca5d afbf d400  ....`7B....]....
0001570: 6a40 0006 0000 0000 0080 4b80 51eb 5c72  j@........K.Q.\r
00015e0: 5c71 3c08 9f05 0230 0000 0000 0000 ec4e  \q<....0.......N
0001630: 0000 0000 0000 a8e6 69c6 8f9c b1d8 ffdc  ........i.......
00016d0: 6000 0000 0000 0080 007e 84c5 550c ac47  `........~..U..G
0001720: 6a20 0003 0000 0000 0000 4488 191b d64c  j ........D....L
0001790: 5541 0006 0000 0000 0080 d53c c900 1423  UA.........<...#
00017f0: b34c 4ad2 be5a 799c 0d02 3000 0000 0000  .LJ..Zy...0.....
0001860: 0000 0000 0028 02d1 77c9 55a2 0caf 920f  .....(..w.U.....
00018b0: 472d 08c0 0000 0000 0000 2022 cf32 806d  G-........ ".2.m
0001900: 0000 0000 0000 9a79 f2cb b96f d0b8 d29a  .......y...o....
0001970: eab8 8e54 0000 0000 0000 f060 7851 2e27  ...T.......`xQ.'
0001a60: 4400 0300 0000 0000 009c 4c89 7165 8d01  D.........L.qe..
0001bc0: 6000 0000 0000 809b 80d1 be9e 2dcb ac36  `...........-..6
0001c50: 7f67 ee5e 778f 0001 1800 0000 0000 001e  .g.^w...........
0001cc0: 0000 0000 3e84 7404 47ce 4053 1341 516a  ....>.t.G. () S AQj
0001d70: 1080 0100 0000 0000 e071 8423 6872 c7ec  .........q.#hr..
0001de0: 0000 0000 0000 6035 9f6e c0aa a524 0ab7  ......`5.n...$..
0001ed0: 0edf a9ec ae00 11c0 0000 0000 0000 7049  ..............pI
0001f60: 0000 0000 0000 2e41 5e8c f48d 08b5 c6e1  .......A^.......
0002040: 0049 4441 5484 eb7a 3a08 c000 0000 0000  .IDAT..z:.......
00020e0: 85f2 7fe7 eb79 1a08 c000 0000 0000 008d  .....y..........
0002180: 0000 0000 8006 78e9 dd8e 54b4 d31d 88e5  ......x...T.....
0002210: 3358 dcf1 9a9e 0402 3000 0000 0000 c04a  3X......0......J
00022d0: 0000 0000 0000 7662 661c 3931 42c7 9f76  ......vbf.91B..v
0002470: 84ca 446b 7d48 7ff0 5488 0006 0000 0000  ..Dk}H..T.......
0002530: 0600 0000 0000 5809 c2cf 9c54 596c 514e  ......X....TYlQN
00025f0: e11d 7b1b 1080 0100 0000 0000 1af8 2411  ..{...........$.
00026a0: 0000 0000 8dac 9d7a ee0e ccaf a96c 0dc1  .......z.....l..
0002740: 9faf 0602 3000 0000 0000 0004 d9ea 05fc  ....0...........
00027e0: ef08 ed20 0003 0000 0000 00c0 e65c d3a6  ... .........\..
00028b0: 6fe5 c080 f8bb 0d08 c000 0000 0000 00b0  o...............
0002950: 4391 c000 6b51 b2f9 32dd 0000 0000 0000  C...kQ..2.......
0002a50: be9f 6627 380a 2280 0100 0000 0000 76e2  ..f'8.".......v.
0002b00: 0501 1800 0000 0000 6023 422f f621 43c0  ........`#B/.!C.
0002be0: 377c fedc 0904 6000 0000 0000 808d c909  7|....`.........
0002ca0: 481b 08c0 0000 0000 0000 1b53 14cd 73c1  H..........S..s.
0002e00: 3000 0000 0000 c087 7235 2370 3e3f eb0c  0.......r5#p>?..
0002fc0: 8c57 701e f67d 0c00 0000 0000 0076 622b  .Wp..}.......vb+
0003200: 4c01 0d00 0000 0000 b031 4719 760f b61f  L........1G.v...
00032f0: bc9e ab81 000c 0000 0000 00b0 11b9 69e1  ..............i.
00033d0: 1800 0000 0000 a090 ab88 5c17 c946 137b  ..........\..F.{
0003790: 5fc6 d61f 0711 c000 0000 0000 f058 ae62  _............X.b
00039d0: f42b fffc b832 8c37 db40 0006 0000 0000  .+...2.7.@......
0003b20: dfcf 1081 d783 000c 0000 0000 008f e1ea  ................
0003c20: 92b4 1081 eb41 0006 0000 0000 80c3 b89a  .....A..........
0003d50: 7605 1080 0100 0000 0000 0ea2 54f8 f58f  v...........T...
0003e50: e866 8883 000c 0000 0000 009b 71b6 b1f1  .f..........q...
0003f80: d112 079f 507e a10c 0460 0000 0000 0078  ....P~...`.....x
00040e0: 0000 0000 0090 a7fd 25cc be9c dbf4 c694  ........%.......
00042b0: 010c 0000 0000 0050 404e fc4d fd7d 47d6  .......P@N.M.}G.
0004410: 0e08 c000 0000 0000 3072 bce1 3476 3e6b  ........0r..4v>k
0004570: 0000 0000 6067 f616 2a73 d47a 6f97 443b  ....`g..*s.zo.D;
0004810: 9cf2 8800 0000 0000 803d b8be 81d3 1a53  .........=.....S
0004980: 0000 0000 7023 9e62 c0bc 8b41 768b fcad  ....p#.b...Av...
0004ac0: 9c3f e4cd 144c 010d 0000 0000 00b0 2357  .?...L........#W
0004e80: aeff 74f8 6c10 8001 0000 0000 3e9c 638d  ..t.l.......>.c.
0005140: d35d 9e5d 7b82 000c 0000 0000 0027 501a  .].]{........'P.
00052e0: d683 000c 0000 0000 7002 bef7 ec19 dcf1  ........p.......
0005430: f2fa bd57 34f0 5ee9 3e01 0460 0000 0000  ...W4.^.>..`....
00055e0: 8001 0000 0000 4ee2 3323 7fdd 2946 3be7  ......N.3#..)F;.
00057b0: 78e6 1e8b 5bdf 0000 0000 0060 678e 3498  x...[......`g.4.
0005c00: a7ff de86 008c 000c 0000 0000 b01b 6709  ..............g.
0005da0: 8535 8001 0000 0000 36e4 2a06 d7b3 0cc1  .5......6.*.....
0006150: 4004 9e40 0006 0000 0000 d890 235e b66a  @..@........#^.j
00062f0: d7de ad75 08fe 1494 6c5b 0700 0000 0000  ...u....l[......
00064d0: 7e84 1c18 eee8 54b4 2544 0003 0000 0000  ~.....T.%D......
00066a0: 5d62 03f8 64fc f73f 0000 0000 00d8 18df  ]b..d..?........
0006b60: e7b9 200c d701 0118 0000 0000 e0e2 3cc9  .. ...........<.

Cheers,
Nathan


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: