Snort mailing list archives
Re: What wins? TCP headers or packet contents?
From: Chris Green <cmg () sourcefire com>
Date: Thu, 12 Sep 2002 20:31:27 -0400
John Sage <jsage () finchhaven com> writes:
Let me bring the question up to the top:So the question for the snort list is:What wins:TCP header stuff: i.e. the destination port,or,Packet contents stuff: i.e. a hex series within the payload of a packet, but with no match on destination port?<snip> Executive summary: Twice (once real-time, once on replay against a binary log file) I have packets matching an rpc.rules by content (a hex sequence) but not by the destination port stated in the rule.
Let's chop up this mail a bit. There's no notion of what wins because it's a logical AND of the portions in the rule header and in the rule options list. The rule: "Check TCP traffic from $EXTERNAL_NET with any source port to HOME_NET port 32770 or above and look for Foo flags with a content of OOOOOOOOOOOOOO02010186A1 starting 5 bytes into the packet"
rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278; rev:3;) <snip>
The alert & packet:
[**] [1:1278:3] RPC rstatd query [**] [Classification: Attempted Information Leak] [Priority: 2] 09/08/02-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498 TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE9A99172 Ack: 0xE9926FEA Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1557233190 427655814 [Xref => http://www.whitehats.com/info/IDS9] <snip> which is this packet, by timestamp, and which I am certain is a portion of a gzipped file: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498 TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE9A99172 Ack: 0xE9926FEA Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1557233190 427655814 0x0000: 45 00 05 DC FA ED 40 00 31 06 4A BA 3F 64 2F 2D E.....@.1.J.?d/- 0x0010: 0C 52 83 91 00 50 F8 0A E9 A9 91 72 E9 92 6F EA .R...P.....r..o. 0x0020: 80 10 19 20 DD C3 00 00 01 01 08 0A 5C D1 7E 26 ... ........\.~& 0x0030: 19 7D 82 86 5F 46 36 63 49 66 61 57 3A 68 32 61 .}.._F6cIfaW:h2a 0x0040: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 41 36 F|c7mHcIf2_.i@A6 0x0050: 75 3A 49 68 5F 46 36 63 49 66 61 57 3A 68 32 61 u:Ih_F6cIfaW:h2a 0x0060: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 48 7D F|c7mHcIf2_.i@H} 0x0070: 38 6A 79 38 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D 8jy8YjV(.Bzu::dm 0x0080: 49 68 64 3B 20 57 53 53 5F 47 57 3D 56 31 41 6C Ihd; WSS_GW=V1Al 0x0090: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 QAlQAlQAlQAlQAlQ 0x00A0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 AlQAlQAlQAlQAlQA 0x00B0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C lQAlQAlQAlQAlQAl 0x00C0: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 QAlQAlQAlQAlQAlQ 0x00D0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 AlQAlQAlQAlQAlQA 0x00E0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C lQAlQAlQAlQAlQAl 0x00F0: 51 41 6C 51 7A 25 72 42 51 25 5E 25 72 40 69 3B QAlQz%rBQ%^%r@i; 0x0100: 20 43 54 47 3D 31 30 32 35 31 39 31 39 31 39 0D CTG=1025191919. 0x0110: 0A 0D 47 3D 1B 3D 58 0D 02 00 9A 05 00 00 9A 05 ..G=.=X......... 0x0120: 00 00 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00 .......3....&... 0x0130: 45 00 05 8C EB 04 40 00 73 06 FC 52 CC 11 72 09 E.....@.s..R..r. 0x0140: 2E 05 B4 FA 00 50 F9 C1 B3 D2 78 9D 00 01 65 80 .....P....x...e. 0x0150: 50 10 40 B0 46 75 00 00 86 A2 00 00 00 02 00 00 P.@.Fu.......... 0x0160: 00 00 00 00 00 01 00 00 00 96 00 00 00 00 00 00 ................ 0x0170: 00 96 00 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@.......... 0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0190: 00 00 00 00 00 00 00 00 00 00 02 00 01 86 A1 00 ................ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
This was atleast 5 bytes into the stream :)
<snip> The offset seems different, but only because we have IP and TCP headers, above.
-- Chris Green <cmg () sourcefire com> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What wins? TCP headers or packet contents? John Sage (Sep 10)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: What wins? TCP headers or packet contents? Chris Green (Sep 12)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 14)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)